Andrew: Hey there, freedom fighters. My name is Andrew Warner. I’m the founder of Mixergy, home of the ambitious, and this is the site where the people who build the companies we love and admire come to talk about how they built those businesses.
And today, I’ve got a conversation about the founding and the growth of Evernote, and after that, as you guys, if you heard my interviews, I use all the time– actually, every single interview I have a note on the guest with all my research and Evernote up on my screen.
And today, I’ve got with me, David Engberg, who is the CTO of Evernote Corporation, a technology company that is developing systems to help people capture and retrieve any information they want to remember. This interview is sponsored by Scott Edward Walker of Walker Corporate Law. I’ll tell you more about him and life. You’re an entrepreneur, you should check out his firm. But first, Dave, I want to welcome you.
Dave: Thanks, Andrew.
Andrew: Hey, I asked you before we started, “How do I make this a win for you?” And you said, “You know, Andrew, we’re a consumer-facing company. This interview isn’t really about me because there’s not much that we can get from here, but I want to give back, especially help out someone who is where I was seven years ago.” So, where were you seven years ago?
Dave: Yes, in 2007, we had a very small amount of funding, and a team of about ten to 15 people doing different things to quickly put together a service to keep track of everything that you want to know in your life, all of your memories, all of the details, all the notes.
So we had about six months to put together a website, a webinar phase, a mobile webinar phase, a Mac client that synchronizes all your data back and forth, a Windows client, and at that time, we also had a Windows mobile 6.5 because that was what smartphones were.
We threw that all together in probably about five months and launched a closed beta starting around Valentine’s Day in 2008. And then we opened up to the world out of beta, I think, in June or July of 2008. So seven years ago, we were working 14 hour days every day trying to put together the basic Evernote.
Andrew: And look at how far you’ve come today. How many users, how many different clients do you have, and how many paying customers?
Dave: Yeah, absolutely. Over the last eight years, we’ve tracked over a hundred million different people who’ve used at least one piece of our software. About 75 million of those have created accounts, and on a monthly basis, we’ve got about 16 million people who use something that we built.
I guess, in terms of paying customers, I think it’s somewhere in the 20% range, but that’s paying us in some mechanism. There are some people who pay us directly with a credit card. In other ways we get revenue by the partnerships that we’ve got. So there’s some bundling, some partnerships, and then some direct revenue.
Andrew: Some partners of yours will buy Evernote premium accounts for the users to make their handsets or to make their products more powerful?
Dave: Exactly. When we launched, we thought initially that we would be some sort of mix of advertising and direct revenue. We didn’t really know what the mix was going to be. Maybe it will be like 25% ads and 75% direct. But as we started working, we realized that an ad-based business model is very hard to reconcile with a service that’s built around privacy. You know, we built Evernote to cover 90% of your life, where you’re not bragging about your dogs and your kids and your dinner.
Like it was the anti-social network in 2008 when everybody was only funding social networks and games that go on Facebook, things like that. So we realized that trying to take your most private personal data and monetize it would have required some compromises that we would have had to get any sort of revenue offer that we would have had to leak information about you and your content to advertisers.
Like Google AdWords won’t give you any money at all if you can’t let them see the content to what they’re advertising with. And that’s just wasn’t acceptable to us.
So we built an internal ad mechanism. We got a little bit of revenue off of that, but I’m sure you realized that the thing that our ads was doing that resulted in the most money was just convincing people that they should pay us, and we decided we just do that more directly. Just make it clear that even though Evernote can be used for free for your entire life, actually just suggesting to people, “Hey, you want to give us some money? That was pretty effective, and–
Andrew: It’s a little more than “Hey, you want to give us some money?” It’s, “If you give us some money we’ll give you all these great features like, we will make your PDFs searchable after you upload them.”
Andrew: There are massive amounts of data. I actually hired someone to come sit in my office and do nothing but use the SnapScan and scan all of my data into my Evernote account so that I wouldn’t have to deal with it. I could do that because I’m a Premium Member.
Now if you were, Dave, to go back in time seven years — I kind of hate this question, but because it came up before, because you said I want to help the person where I was seven years ago, I think it’s important to ask it. If you could go back in time seven years ago and speak to Dave and even Phil and say, “Look, I want to give you advice from the future.” What would that one piece of advice be?
Dave: Well, if you have a time machine, I think the easiest thing to give advice around is trends that we didn’t necessarily see coming. I think mobile caught a lot of people by surprise, and quite frankly we sort of lucked into it. Being there at the right time with a good consumer product application at the rise of mobile was really important,
I think we’ve learned some lessons over time about how to help third party developers a lot more. There were things that we did fairly early that assumed that everyone who developed against our API would have as much background and access and knowledge as we’ve got internally. And that’s kind of unrealistic. So I think the things we could have done earlier to make our API not just powerful but also a little easier to use.
Ultimately, in this industry there’s always this perception that if a company is successful, it’s just because the folks who were involved just did a brilliant job. I think really like doing a good job is necessary but not sufficient, and the successful companies tend to be there at the right time. And so we were there —
Andrew: Just going a good job and hitting whatever the trend is at the right time which might explain why you guys jumped on watches. Now I can get Evernote on my watch before most people had it. I’m living in San Francisco now. I think I’ve seen maybe three or four Pebble watches.
Andrew: I’ve seen as many Google Glass wearers as Smart Watch wearers.
Andrew: So is that the plan that you can jump on this new technology early in case it becomes a thing that everybody’s wearing?
Dave: Right. And I think that what we’re selling to our users is that we will let you capture your memories wherever you are and access them wherever you are. And that means that we look at the new platforms really early, and we try to be there on anything that has promise early. Sometimes that works out. We were there at launch on the iPhone, and sometimes it doesn’t. We were there at launch on the Palm Pre. And both of those were good platforms, but sometimes you end up putting effort into something that doesn’t pan out.
We’ve got a couple of our clients can do things with Google Glass. We’ve got something on via the Samsung Smart Phones and the Pebble is just a project. We’ve got a great engineer out of the U.K. or out of Switzerland who is from the U.K. originally that he did the Pebble project on the side. It was a very fruitful concept.
We don’t have illusions that that will absolutely turn into millions of users but exploring the idea is important to understand what will work for wearables. I don’t think wearables are going to look like they do today five years from now.
Andrew: So just before Evernote you were working as an engineer at Core Street. You were planning something similar to Evernote. What was the idea that you had in your head?
Dave: Right. So Phil had been our CEO. He and I were at a security company called Core Street out in Boston, and he had been exploring the ideas of memory for a long time. And he really wanted to do a startup with something you’d carry around with you that would allow you to just capture your memories easily,
At the time he was mostly focused on it as a hardware problem. So he was trying to visualize like what is this thing that you could have with you, like an egg shaped device where you just capture memories. And it’s got a camera; it’s got a microphone. That was, say, 2005, the vision that everybody — a billion people around the planet would be carrying around a CPU and a camera and a microphone.
That was not available so I think the general idea was something that had been percolating for a long time, but when we left Core Street and decided to go on our own that finding the right place to take that idea and build a lifetime service for memories was our priority.
Andrew: So it was the two of you thinking about this same idea which was a device that you give or sell, I should say, to your users, and they carry it around with them. Got it.
Dave: Right. That was Phil’s big thing. We had a number of people that we had worked with before and that we brought together pretty quickly to build a team. And there was an existing company in the Bay area and in Moscow called Evernote that had been doing a note taking application for Windows as a Window’s kind of a shareware application. That was really advanced for its time. It was much better than Microsoft OneNote, let’s say, and it had a lot of accolades.
But fundamentally it was targeting the sort of people that would go out of their way to install Window’s productivity software. And what Phil had a vision for was a service that would make it more of a lifestyle service that would transcend the productivity niche and make it something that could have more of, more the profile of an internet service that would grow like an internet service not like a Window’s application.
Andrew: Okay so with that in mind and that awareness of where you wanted to go, what was the step that you guys first took?
Dave: That’s a good question. The first step is obviously putting together a team. We brought in Phil Constantinou, someone that I’ve known since freshman year in college back in 1990. He and I had done a couple projects before in the past. He came in and took over all of our product development.
Andrew Sinkov, our head of marketing, he was with us at Core street and really in the early days the best thing you can do for a startup is to bring in a small core people that you already know and trust. Recruiting an absolute top tier A level person into a startup, that hasn’t even had an A round is going to be really, really difficult because you are competing with the Twitters and the Googles and the Facebook. And you don’t yet have the profile of Sequoia saying that you’re awesome.
I tend to tell people who are coming out of college that your first job or two out of college you’re not optimizing to get a billion dollar exit in your first job. Optimize for networking with people and finding folks that you would want to work with in the future.
The Valley is fairly small. A lot of people end up doing five or ten jobs over the course of their career. And find the people that if you have to sit in a room with people for 50 hours a week working under stressful situation find the people that you won’t hate to work with and the people you can trust to do their jobs.
Andrew: What did you trust about Phil that made you say, “Yes, this is a guy that I want to spend maybe the rest of my life with?”
Dave: Right, right. There are two Phils. Phil Libin, I have known him for about 15 years. He is everything you would want in a tech visionary. He is an enthusiast. He absolutely deeply loves technology and he really loves where it is going. He is the optimist who can see the future and communicate why it’s awesome and everyone else can come along for the ride. I’m more the dark side of the Yin Yang. I’m pretty good at finding all the things that can go wrong.
So having someone who can spot all the way that things can succeed and then I can be the half that looks at all the ways that things can fail and try to prevent failure. You need both of those and in general I think having a CEO that can communicate to the outside world why what you are doing is very important for the world. Is probably more useful than having a CEO who can sit around and figure out why the database isn’t quite fast enough.
Andrew: I’m wondering if maybe something I said earlier may have triggered your concern about what could go wrong. We started out this conversation and before we hit record officially. I told you I want to be upfront about where this is going, we’re going to talk about your story and I want to ask a few questions later on in the interview about security.
And I had a sense that something changed in the conversation, and I’m wondering did that make you say, hey we usually have a mechanism for doing interviews like this the person is vetted. I don’t know that Andrew is vetted enough where is he going to go with these security questions. Is he going to make my company look bad, am I going to make my company look bad, is this a mistake. Did you start going in that direction?
Dave: No, not at all. Literally I spend most of my day what is on the verge of going wrong and try to stop it. And a lot of things are not catastrophically wrong but like sniffing out that there is a problem with the latest version of our Window’s client that is slightly over reporting some sort of data. That’s the sort of thing that snowballs over time if you don’t get it cleaned up and that’s exactly what I was doing right before this call was trying to track down whether we are over reporting activity numbers from our Window’s client.
And that skill of actually caring very deeply about what’s going on and worrying all the time. That’s what I would hire for the most for technical people. If I had to choose between someone who is really good at producing a very nice looking demo versus someone who is really good in sitting in a debugger and finding out why something was wrong, I would take the debugger hands down every single time. Like having one or two people who can just do the shiny stuff and not actually sort out problems is fine.
Andrew: Why the debugger?
Dave: The ability to sit down with an unknown problem in a complex system and narrow it down to its source. As opposed to it is really easy to find folks who can just throw out random theories. Well it might be this or it might be that and they just throw those out and let someone else figure it out.
The most useful skill, I think, is being able to narrow it down. Is it on the left side of the line or the right side of the line? Well how can I make a test that can establish that? Run the test. Okay, now I’ve narrowed it down to this 50% of all problems. Now how can I keep narrowing down the problem scientifically such that at the end of the day I will know that I have fixed it?
For engineers that is what I look for the most. Someone that when there is a problem will they will sit down like a badger and keep working until it’s figured out for real. Instead of just trying random stuff and hoping it works.
Andrew: I have a friend who does that Bob Hiler but he will be up until like 6:00 A.M. after having woken up early just looking for that thing. And then when you talk to him about it he is like bleary eyed and nearly nuts because of it. But I understand the significance of it. Most people would have given up after 20 minutes.
Andrew: I pride myself on doing research really well and as you see we actually have a pre-interviewer. But there is something here that actually threw me, that you said, Evernote product existed before you as a team came in and bought it out. I didn’t recognize that I actually went on Wikipedia, and it’s not in there. So how did you end up acquiring or merging in with Evernote the product that existed?
Dave: Yeah, there was a company that had been around for several years before that. I don’t know the exact date but sometime in the 2000’s in the aughts. A guy named Stephan Patrickoff [SP] put together this team primarily out of Moscow to build the product called EverNote. At that time it had a capital N in the middle. Our marketing guy, his first job was getting rid of the camel case, so the capital N went away.
But the team that built Evernote they were focused on building a really great Windows desktop note taking application that was competing head to head with a part of Microsoft Office from Microsoft. They did a really great job of it they had a few tens of thousands of users and a number of those folks are still with the company.
So I think what they had was really great researchers and the product that they had packaged of Window’s shareware was kind of unfindable in 2007. They had some great ideas and great technology. And what Phil Libin brought to the table was a team of people that could execute on a pretty significant pivot which would be to build a lifelong service as opposed to desktop application.
Andrew: I think Wikipedia does have it wrong and I’ll have to correct it. I will ask you the same question that Ray Croc was asked for the rest of his life which is why did he buy McDonalds from the McDonald brothers instead of launching something on his own. Why didn’t you guys as a team create your product from scratch?
Dave: Phil loved what the guys had actually built here. We have some researchers like Alex Passionstuff(sp) he is our R and D team. The things they can do with image processing to find handwriting it is unparalleled in the world. And it is under appreciated because it gets kind of lost in a lot of other of our features. The team that put together a lot of underlining technology of the original Windows Evernote.
They had a couple companies before that they had sold. They were actually the team that had built the handwriting recognition for the Apple Newton back in the day. They were in the Soviet Union and they were able to submit a proposal for the Newton handwriting recognition against a couple western companies. There’s was accepted because they had written something that could run on such a low C.P.U. footprint compared to all the western companies because had.
So they were able to make a great pitch to Apple and move to Cupertino to build that technology. Their great brilliant folks and like I said, we still have about seven or eight folks from that team still around. Alex Patrick Hoth(sp) who is the head of partnerships. He was the IT guy when he started here and he is just fantastic at what he is doing. I think being able to come into a team with such great technical depth was really important and basically made it so that Evernote could launch with a lot of significant differentiators.
Andrew: From the beginning you focused very tightly on getting the platform in place and you built your own hardware even though you don’t recommend that for most people. I want to ask about both. Why don’t we start with hardware? You don’t recommend for 95% of other startups why is it important for Evernote to write its own hardware?
Dave: The default would be to be on Amazon. Amazon web service is just fantastic. I’m just amazed by what they built they have executed extremely well and I would recommend most folks use that. Amazon is in particular is fantastic if your application has bursts.
So if you use a lot of networking one day and then the next day it all goes away because you are running a Super Bowl ad and you’re going to get a huge spike in usage. Or if you have bursts of CPU like some days you’re doing eight times as much activity as other days. And they can just spin up servers really easy or bursts of storage where you are going to upload like eight trillion images process them and then throw them away.
That’s what Amazon’s fantastic at. Evernote, unfortunately, doesn’t have any of that. Our networking is extremely smooth and flat. Our CPU usage, same sort of thing and our storage just builds over time. Or business model says, if you update data to Evernote today we will hold it forever, even if you are not paying us. We will do it for the rest of your life. That’s what we’re offering. And that doesn’t map very well to what Amazon prices their storage at. Amazon charges per GB per month.
So if you were to upload a GB of scans today, we would pay per month for the rest of time. For us it’s just a lot cheaper for us to put a petabyte of data onto hardware that we run and maintain. Even if we do 8 levels of redundancy, it’s just cheaper for us to do it ourselves, over the long haul rather than paying Amazon to do the storage.
For us it’s something that I would prefer not to do. Running your own hardware is just a pain. We’ve had to deal with all sorts of arcane hardware problems and I would love to make that Amazon’s problem. Recently we were having some problems with certain servers, they were a bit flakey. It turned out that the power supplies, the little modules that you stick the cord into, they needed a firmware upgrade. I didn’t even know that power supplies had firmware. It is just bizarre that the thing you stick the cord into has firmware.
We had to sit down, go through all these servers, carefully take out one of the two power supplies, do a firmware upgrade, put it back in, do another one and it just took like a couple days. It was really tedious and I don’t recommend that most people sign up for that. But ultimately for our business model, like you just got to do the math on what your business model looks like and make the decision.
Andrew: It was that calculated. Ahead of time you sat down, you said, where is this going, let’s lay it out in a spreadsheet. Or did you just intuit based on the data you just gave me?
Dave: Well in 2007, there wasn’t really a great cloud option. Like Amazon didn’t really have a viable option at that time. But a couple years later you start looking into A rounds and all the VCs are going to say, hey why aren’t you at Amazon. It’s like oh, God, okay.
So that eventually forces you to do the math. And we sat down and did it. We did an aggressive analysis and what we found was, probably for at least the first 18 to 24 months we would have come out ahead. Mostly on labor savings by not having someone who has to go down to the data center and swap out hard drives. You can hire fewer people. But we crossed over the point pretty quickly.
Five years ago we basically hit the inflection point where we are saving money on a long term basis by having more operation staff but paying less for storage.
Andrew: The platform you started out thinking about it early, about APIs early. Why?
Dave: We knew from the very beginning that we wanted to have applications that had 100% of your data. That you would synchronize your entire account down to your computer. That really differentiates you from being just a web service. I think at the time a lot of folks thought that applications are dead, software is dead, You just do everything on the web. But we knew that the level of engagement and the level of commitment that you get from a user once there is an app installed on their desktop is just so different that it was valuable for us.
So we put a lot of money into building all these applications. Like you mentioned we probably have like 30 different apps that you can install on something. With all the permutations of skitch(sp) on Winphone 7 and Evernote on it. With all those permutations we have 30 different apps that we developed. From the very beginning we knew that we wanted a very rigorous synchronization data model that would make it so that you could work on an airplane with our applications, it wasn’t tied to just a website.
So we designed the API first. So the very first thing was designing, what the structured, rigorous, interphases with the security model around every single call first. And then we built our own applications on top of that. Even including our web applications are built on top of the same API. That is pretty important because stapling on an API after the fact is pretty painful.
There’s people who’ve done it. There have been successful web applications that have made the transition. I think late night Twitter is a good example, they have millions of 3rd party developers. So it can be done but the more complicated your application is the more painful it is to try to retrofit a well-structured API on to it.
Andrew: When I interview entrepreneur about their failed companies. Often what they say is, we tried to do too much and we went for all these different areas. Many cities instead of one city, many different platforms instead of one. In your case I’m looking at your saying at the top of the interview, we spent months making sure that our app was a desktop app that worked on multiple platforms. We built our own hardware, we made sure the A.P.I. would scale and allow others to build apps on top of it, years in the future. Why did it work for you, especially at a time when you had limited resources?
Dave: It’s tough, there’s the conventional wisdom about focus. Companies fail if they try to do too many things. But if you look at companies, there is another set of companies that fail that you basically get accused of not innovating. A company like, why did Blackberry fail, why is Rim, well they haven’t failed, but why have they declined.
The conventional wisdom there is that they didn’t do enough. You can fail if you don’t do enough and you can fail if you do too much. We knew that we were making a fairly large promise. We wanted to be the best place to keep your memories for your life and we wanted to be ubiquitous everywhere. So the core of our business model was always fairly broad. This was not a very narrowly tailored applications.
So we knew that for our mission statement it was going to have a fairly large footprint. I think that is the important thing, for what you are promising to deliver, what’s the least you can do to do deliver that well. But I guess as a guiding principle, I don’t think that standard platitudes of focus and whatnot are necessarily actionable because you can get it wrong in both directions.
Andrew: So it wouldn’t have made sense for you to say we are going to focus just on Windows and Mac and when you’re on those two platforms we’ll make sure that we save your data forever. And then once you conquer that expand and expand. Would that have worked?
Dave: I think if we had been more conservative if we hadn’t been there at launch on the Android platform for example. Evernote would exist today, we would be a smaller company, we would be valued less, we’d have less revenue, we would have fewer users.
For us, part of what our investors were investing in was a commitment to go large pretty early. That includes what you have talked about, platforms. But it also includes international. We’ve staffed up for a full localization and internationalization and country specific PR at a very early stage. Pretty much year three we had an international team that was doing all of that.
We’ve been translated into probably 40 different languages. We’ve got local business development all over the place. That was an intentional decision to do something fairly expensive and fairly like expensive both in terms of money and time. But ultimately that was setting us up for growth down the road if we hadn’t done it early we would have lost out on opportunities. If we had not made the best version of Evernote in German. That would have left an opportunity for someone else to build the Evernote of Germany.
And the biggest example would be China. In China because of the internet connection to the rest of the world. It is very, very hard to be a competitive internet service without having servers in China. But we knew that for various privacy and political reasons, we didn’t want any Evernote [SP] data being stored on servers in China.
So we put together a new service in China, called Inchangbege[SP], that runs on Chinese servers in a Chinese data center run by a team of folks that we staffed over there as a whole foreign entity. That was because, like I said, if we did not launch an Evernote in China there would have been a competitor that would have come in and we would have lost out on the opportunity. Going big is pretty difficult. Again, just because we do it, I wouldn’t recommend it to most companies.
Andrew: What…speaking of… well actually, not necessarily directly related. all my data is in Evernote. All of our data is in Evernote. Has government agencies gotten access to your user data?
Dave: Obviously, we are required to comply with the laws of any place that we are doing business. We are citizens of United States and we are required to comply with laws. That said, we have made an intentional decision that, as a company that is about storing your private data, our intentional internal policy is to make absolutely every attempt to look after the interest of our users first and the privacy of our users first. So the policy, I would phrase it anecdotally as, we will push back to the full extent that we are possibly able to do.
We haven’t really articulated that as formally as Twitter. I think they have really led the way in stating that that is their intent. They will push back until the point where the lawyers say they absolutely have to turn over and then they will turn over the absolute minimum they are required to do. That is the same for us.
Of course, we are not legally allowed to say what we have or have not disclosed. For Evernote, we have mostly slipped under the radar because we are not a public communications platform. What is being said on Twitter and Facebook is visible to the whole world, whereas what your storing in your Evernote account tends to be pretty private. So we haven’t … we are not a fairly common place for people to go looking for information.
Andrew: Have government agencies asked for and received data on users more than a couple of dozen times?
Dave: I’m probably not allowed to say that, now that I think about it. Yeah, I think there are specific parts of legislation that certain types of requests, you aren’t even allowed to quantify except for in some sort of bands. So we are working on a transparency report that lets us say to the absolute, most specific allowed by the law what we have.
Sometimes it’s kind of weird, because we’ve had some requests coming in that are structured as law enforcement requests and are with the full knowledge and desire of the users. So, for example, if someone were to lose an iPhone, it’s stolen, and they want to get information that law enforcement can go track down the person who stole it.
The end user, with their compliance, they can have legal action that comes from the law enforcement. In that case, obviously, we try to work with the user to get their problems resolved as much as possible. But, it is the adversarial ones where we believe this is happening not at the behest of a user that we want to put the most effort in.
Obviously there is the other end of the spectrum which is not government disclosures as required by court but rather government intrusion without your knowledge. We, like everyone else, are now in the unenviable position of spending a lot of time and money trying to make sure that our systems are more resilient against intrusion by government agencies without our knowledge.
For example, we have data in two different data centers for redundancy. We recently paid something on the order of about $60,000 for redundant pairs of equipment on both sides of the network tunnel that will do full encryption on the wire of 100% of all the data flowing through it so that the dedicated, at least a gigabyte, line between those two data centers can’t be sniffed. That’s tens of thousands of dollars that I would have rather have spent on expresso and donuts in the lobby and stuff like that. So, obviously….
Andrew: And brain power that you would rather spend on something that is not about [??] particularly.
Dave: Yeah. Yeah. Yeah. Exactly.
Andrew: What about this, if all of my data is in one place with Evernote, business and personal. If Ann Marie who works here at Mixergy, decides I’m going to sue Andrew for something at Mixergy. Can she get access to, or her lawyers get access to all of my data including my personal journals that I might have uploaded?
Dave: That is a great example. I learned about this last year. If one person is suing someone else in a civil lawsuit, there is a form of a non- party or third party subpoena where basically your plaintiff can go to us and demand information from someone else for a civil lawsuit.
That is exactly the sort of thing that we want to push back on to the full extent of the law. Until a judge declares that we are absolutely and legally required under penalty of contempt to turn over information in a civil lawsuit, we will fight that tooth and nail because we are the custodians of our users’ data.
To the same extent that a bank with safety deposit boxes, their customers are the box holders. Obviously if it does get to a point in court a judge declares that it absolutely must be turned over then we would have to comply within the jurisdictions that we operate. But the intent is to take the interest of our end user first.
Andrew: So let’s take it away from Evernote and just take your understanding and pass it along to the entrepreneurs that our listening to us right now. You have been talking more and more about security roadmaps for startups. Should a startup be worried about X issue versus Y issue at different stages of the companies’ growth. Can you tell me what you’ve been thinking about with that?
Dave: Yeah, a lot of the security press, what you’d read about in the tech journalism about security tends to be just this unfiltered noise. Where you get all sorts of things at all different levels and it is really hard to know what’s actionable. What you should be worried about at each stage of the company.
I think that there’s things that you should be worried about when you are at a relatively early stage of a tech startup and there’s things that you could wait until a bit latter. And ultimately you’re not going to have the luxury of hiring a full-time security staff until your fairly late in the game. There are a few things that I pretty much tell everyone, that’s not negotiable, by the time you have 50 employees you need to be doing it.
For example, you should be using two factor authentication for every service that you’re using at your company. If your using Google apps for your email and Google docs and whatever else. There is a setting in Google apps as an administrator that you can check that will force everyone in your domain to set up two factor authentication to be able to get into their email. That is bare minimum. You have to turn that on.
And it’s going to be unpleasant day and a half as you sort out the people that are like, I don’t know how to get this going and you just have to walk them through it. The problem is that there is a misunderstanding that two factor is just about people choosing good passwords versus bad passwords.
The real issue is more that people reuse passwords. If you have 50 employees at least 10% of them, let’s say 5% of them are using the same password to get into your email system as they also used some service that in the past had a breach, Steam, or eHarmony, or LinkedIn or —
Dave: Even Evernote. Yeah, Adobe that’s a good example pretty much everyone in the world had an Adobe password. When we found out about the Adobe breach we correlated all the email addresses against Evernote users and sent all the overlapping users emails warning them about that. And ultimately blaming the users, blaming your coworkers, is the wrong approach.
Passwords by their nature are not secure enough in this day and age, I could not conceive that you could ever remember 100 different passwords for different sites that are all secure. So what you need to do is get a decent password manager. I’m a fan of one password for example but there is lots of other ones that are good. And enable two factor authentication, that is the sort of example. You start getting into things like adding auditing fairly early. Our admin tools we’ve known since day one.
Whenever an account is access by one of our support staff because it is necessary to solve a problem for a user, that’s been tracked from day one, so we can go back and look at all that information. But that is the sort of thing at an early stage, trying to understand what you need to worry about early and what you can wait until later is a bit tougher for startups.
Andrew: I was telling you that one of the concerns that I have that work with Evernote and there’s so many in the iPhone app store that I love. One of my concerns is that if I want to do something with one app and it wants access to read my notes because I’m a little hesitant because I don’t want them to read all my notes I just want them to read my bookmarks or something.
Dave: Yeah, exactly. That’s an example were the first pass of our API didn’t really cover everything that we would like to do. We built an API intentionally knowing that it would be used by a 3rd party. From the very beginning there’s no trusted secret calls that our Windows client is making that a 3rd party app is technically incapable of doing.
But there is a need for more granular permissions just to protect the users. We don’t want a 3rd party app that comes in just and naively deletes all your notes. So out of the box we have different types of permissions that we can give to an app. So an app that only creates notes and doesn’t need to see existing ones we can give it note creation permissions, without giving it note read permissions.
There is a different access aside from the type of thing you can do, there is also like what the scope of that is. We’re working on something that I think should be launching pretty soon which is the ability for a 3rd party application to have its API key configured to be single notebook. So we would be able to say this particular application, if this than that can read notes. But it can only read notes form my cooking notebook.
So every time I put something in my cooking notebook it creates a tweet or something like that, it would be great. So I could give read access to my cooking notebook to that 3rd party service without letting it read my sequel queries notebook. That is something that our 3rd party developers have asked for themselves because they realize it’s a problem getting adoption when a user sees that the 3rd party app would be able to read anything in their account. So that is soon.
Andrew: I like hearing what is soon coming up for Evernote. I used to, I still have it actually subscribed, the Evernote podcast.
Dave: Oh, excellent.
Andrew: Where every once and a while you would tip off what’s coming. Then you stopped doing it. Why, I loved that thing. Especially when you would, like I said, reveal stuff. And for a while there you would come on and you’d go, I’m so sorry we didn’t do the podcast for the last few months, but, and then you would go into it. What happened?
Dave: I know, well we had one scheduled for yesterday and then Phil had a meeting. Yeah, the scheduling gets to be pretty tough. I kind of miss it. The podcasts are definitely a lot fun. Yeah, Phil likes to declare the things that are coming in the future on the podcasts. Sometimes before actually telling us.
I guess that’s one way to get commitment from your staff is to declare publicly the something is coming. We have obviously have calibrated how to get the most impact out of things that we are doing that are new. Sometimes that is a PR thing. From a marketing standpoint being able to get an exclusive for some big thing we’re doing and shop it around.
Sometimes that would result in coverage in a larger publication then we would get then if we leaked it on our podcast two months early. Other times you’re coordinating with partners. Like a big launch. If we had leaked the telephonic launch were every Android phone in Brazil comes with Evernote premium that’s something that would have been pretty bad. It’s a sad statement of maturity that we have to be a little bit more grown up on what we brag about on our podcast
Andrew: So here’s the answer. Don’t have Phil on if it were just you and one other person it would be golden too.
Dave: Yeah, that’s true although he is the enthusiast. On our podcast he is the one that has the most exclamation marks and sparkles coming out of his voice. I think the rest of us would be hard to compensate without him. He still likes to get off message once and awhile. It is the blessing and a curse of being fairly transparent.
Andrew: Not really. I think anyone that listens will agree with me and think and understand that I’m not just flattering you, all three of you guys are good. It’s three of you that are mainly on there right?
Dave: Yeah, yeah. Well thanks that is nice. Andrew in the early days he was recording it and just sort of mixing it all himself and eventually we got better and we paid 5.00 for a song from iStockAudio and the production quality at that point improved.
Andrew: You through in some sound effects, all kinds of stuff, to jazz it up.
Dave: I know, I know.
Andrew: You play recordings of your users with their use case. I love the use case part. You don’t even need Phil I’m telling you. Well you need Phil to run the company.
Dave: Nah, no.
Andrew: But mister marketing guy just call you up on the phone and hit record and publish that. Kind of like this, this is just an amateur operation, you see this. You and I are just on Skype.
Dave: I already wrote down that Andrew says we don’t need Phil anymore.
Andrew: Tell that to the other Andrew. By the way, speaking of sparkling, you were essentially there from the start. Maybe months apart, according to LinkedIn. You and Phil were maybe like three or four months apart. Phil is listed as CEO. You are listed as CTO, and Stephan is listed as the founder. Wouldn’t the three of you be considered founders?
Dave: I don’t know there was a company called Evernote that had done a lot of great stuff for years, before we showed up. At the last company we were founders there was (??) the articles of incorporation. I wouldn’t want to take anything away from the folks that were around with a capital N. So I think the founder versus non-founder thing is definitely a status badge that is entertaining the first time. But at this point we are really motivated by trying to build something cool.
Andrew: And something cool forever. Do you ever see, maybe you have friends. I have friends. I am now living in San Francisco.
Dave: I don’t have friends.
Andrew: That’s the problem. Well here’s what’s going to happen when you do have friends, especially in the tech space. They’ll have sold their companies and they will be able to buy basically anything that they want and they will be walking around in a whole other stratosphere. Here you guys built this incredibly powerful, profitable company, successful company. Do you ever feel like hey Phil stop telling people we are going to run this thing for the next hundred years let’s just be open to potentially opening so I can own a jet.
Dave: I don’t think any of us are really motivated by that. I am kind of serious, I think it was Thoreau or Emerson that said, “Make yourself rich by making your wants few.” I don’t own a car. I think a lot of people in the Valley they are motivated by making something that affects millions of people.
And then after the fact for some people money becomes a score card afterwards. And that’s fine I guess I don’t knock that. But the fact is even if you fail in the valley you do a good salary and you probably got to wear cargo shorts to work and you worked with people who were a lot more interesting than anywhere else in the world. I think that you shouldn’t be doing startups for money. The math just doesn’t work out.
The failure rate is just way too high. I’ve got a stack of business cards that my wife keeps of all the different places that I have been a VP of this or something of that and those companies don’t even exist anymore. You learn stuff, you get to try new things and ultimately it is the impact that really drives most of the folks that I know.
Andrew: In that case then. Other than doing this Mixergy interview, what is the height, the most exciting point for you of Evernote? And you can’t say being on Mixergy.
Dave: That was pretty much it. I think at the point where we launched the service without an invitation so we left the beta period and we launched to the world. And I had the first person come in and buy Evernote premium. Someone who said this internet service is useful enough to me that I would like to pay $45 for a year to get more of it, to do more with it.
We remember that very first person his first name was Nils. And that is the secret name of our elephant. No wait I’m sorry, Mads. So Mad’s the elephant represents that one user. And I think that there has been a lot of great stuff since then, but getting some to the point where a complete stranger somewhere in Northern Europe just out of the blue said, “you know what, this is awesome, I want to start paying you money.” That moment was probably the high point.
Andrew: And you still remember that moment that first customer, the first person Mads Nils.
Dave: No, Mads. His first name was Mads. I can’t remember his last name, but I probably wouldn’t disclose it even if I could.
Andrew: I knew you could remember it and I was going to try to get you to. Why not disclose it?
Dave: Oh, uh.
Andrew: Because you don’t want to breach his privacy.
Dave: Yeah, exactly.
Andrew: I see, okay. What an exciting feeling it must be to have had that but also to now walk around and see your friends will have Evernote on their phones, have it in the dock of their phones, know that people who you care about are actually using your product. That’s got to be exciting.
Dave: Yeah. We’ve got a commuter rail here in the Bay Area called Caltrain and you walk down and see all these laptops open and smartphones, and it’s hard not to just peek at every single screen and see if there is a green elephant logo on there. It’s pretty amazing just to see the number of people who use Evernote.
We have a conference every year, and we go to various conferences in different capacities. And one of the things that our marketing team has to coach people on is that one of the things that will happen if you go anywhere where there is a large number of our users is someone’s going to come up and want to hug you. I’m dead serious. You’re going to get hugged. That’s pretty amazing.
Our last company, we made really highly scalable and secure cryptographic software, primarily sold to government agencies. We went through common criteria certification with auditors coming in and we did all that. I was proud of building something that was useful but it was kind of boring. Being able to see that normal people tell you over and over that you’ve improved their life in some way.
And in something that, I feel, is a little bit more substantial than sort of transient communication schemes that if the thing you are using for chat today goes away that you just switch to something else. Evernote is, we’re trying to make something that is, you know, we’re not curing cancer but we are trying to build something that is more substantial and is more useful to people over a long period of time.
Andrew: And frankly, maybe there is someone right now trying to cure a form of cancer taking notes in Evernote. It is so exciting to have seen the growth of the company and to continue to watch it. This is what really, frankly, Dave, this is what entrepreneurship is about at its best where you create something that you are passionate about. And I know you have passion for Evernote.
And start to see people’s lives get impacted and become better because of it and maybe even start to see some of your friends use it and realize, hey, I’m touching real people here. And my hope is that as we’ve done this interview, that someone out there is where you were seven years ago. Maybe even further, where you were 15 or 20 years ago and they will build the next Evernote. Or they will be inspired by this and build their version of Evernote, and do it for the next hundred years. And hopefully, like you, they’ll come back and they’ll do an interview here with me.
Dave: That’ll be awesome.
Andrew: Thank you. Oh, I forgot say, thank you Scott Edward Walker for sponsoring this. Scott, I robbed you of an ad! I apologize. Anyone who is an entrepreneur who needs a lawyer, please check out walkercorporatelaw.com. I won’t sell them, you know what I’ll do? I’ll just tell you that if you scroll down to the bottom of the page you will see people you admire talk about Scott and you will understand from them.
He paid me, frankly, for this sponsorship. He didn’t pay them for the testimonials. So, if you want an unbiased feedback from real customers and real users, check out walkercorporatelaw.com and you’ll see why he is the entrepreneur’s lawyer. What do you think of that, Dave?
Dave: Sounds great, yeah.
Andrew: I saw you looking up there. I thought maybe you were saying, what the hell kind of ad is this, let’s remember never to buy an ad from Andrew, he waits until the end and then he also doesn’t even tell anyone anything. Anyway, thank you for doing this interview, and thank you all for being a part of it. Bye guys.
Dave: Thank you, bye-bye.