How Much Should You Rely on Your Users to Do Your Job?
by
on May 09, 2008,
Read any advice about bootstrapping your start-up company and odds are you'll find a tip about using your loyal user base to contribute services to your company. It sounds like a great idea in theory: you have all these people who love what you are doing and want to help. Your users may be willing to code for you or design for you or help localize your app by translating all your pages into languages they speak. The question left after relying on these people is how much you should rely on them to do your job.
The recent news about a Mozilla plug-in may be a warning about letting users code. We are in an space where the API is an ubiquitous offering from almost every 2.0 company. Use our API! Add functionality! Build a plug-in! Mozilla has succeeded where other iterations failed by switching to an Open Source model for developing the basic browser, and then letting anyone build plug-ins to enhance the feature set. We've been trained like Pavlov's dog to click the "This is okay! Go ahead and install it!" button every time we add a plug-in to Mozilla, but as some users discovered this week, you can't always trust the code you are installing. All versions of the Vietnamese language pack that have been downloaded since February of this year were infected with a virus. And this was a language pack that could be installed directly from Mozilla's own servers. With no oversight of these plug-ins, users are installing them at their own peril. This time it was just a virus, but the opportunity exists for injection of malicious code based on the current model.
Facebook is apparently having some issues of its own. As our own Svetlana discovered, the Russian language version of Facebook has its own issues. Facebook relies on its users to translate the site into other languages for them. You'd think that a company with Google-esque perks could afford to pay for localization, but most companies will take advantage of free services wherever they can get them if you ask them. The problem is that because Facebook relies on its users to translate the site for them, they don't employ anyone to actually check the translations, nor read any of the ads fed to users who are using the localized versions. As a result, an ad is currently running on the Russian language version of Facebook that advertises pornographic images of teen girls.
It sounds like good business sense to get free services whenever you can, especially when you have a devoted user base willing to provide them. But do you really want to rely on them when your company's image is at stake? And can you bet that in every case free services provided are doing more good than harm?
Update: Filing under "great minds think alike," Drama 2.0 was thinking the same thing today and referenced the Data Portability logo design issues as another example of crowdsourcing gone wrong.
If you enjoyed this post, make sure you subscribe to profy RSS feed!
Svetlana Gladkova
Vamsi Kishore
Peet McKimmie 
Irel Johnson
I’m glad you’ve brought this up. We’re struggling with these issues on numerous levels.
Lots of folks want an API for PassPack - but just *think* what that could lead to in the hands on a less-than-honest coder. We’d have certify all third party code and monitor it to make sure it doesn’t change post-certification. Our liability grows exponentially - but it’s not just protecting our “brand”, it’s protecting our users (why do so many companies forget that?)
I know I’m going to get hit with a myriad of hate mail for saying this but…. now extend the issue to open source.
We *love* the idea of open peer review, of a community building compatible apps and plugins. But what would happen if, say, a criminal mind decided to download the PassPack code package, make malicious changes and host it on his own servers advertising it as “Secure, Powered by PassPack”?
Sure, we could use the AGPL which requires all modifications to be made available to the community — but it’s not honest coders who follow the rules that are the issue here, it’s dishonest coders.
Anyone who trusts our brand would be at risk. It would ruin not only PassPack, but a lot of innocent people’s lives.
It’s a tough call. I wish there was an black and white answer, but there’s not.
It is a very urgent and probably the biggest problem of open APIs and OpenSource.
This is not the first time, when open source project gets hit. Some time ago same thing happened with Wordpress, when it’s update was injected with malicious code. And probably it’s not the last time.
The biggest problem is internet users’ society. Nobody will fix it. .
What could be done?
Well, take a look at wikipedia`s model. Community is building, community is destroying, community is fixing and this circle never ends. And this is one of the solutions - let people to find and fix the problems themselves.
Another solution would be to copy a business model from Apple iPhone (IMHO it’s one of the best). Firstly, everything closed - on this period, biggest bugs are fixed. And than - opening, BUT - only certified/confirmed developers can build apps. Of course, it requires many resources to check their work and so on, but this also could be done by users.
For example, when PassPack released for testers beta-6, many testers themselves wanted to test, help fix bugs and so on. Those people could also check, test and confirm those apps.
Of course, the most secure solution would be not to launch any APIs and don’t use open source.
@Aurelijus one issue with iphone certification will be the cost of certification. As if it is too expensive (as it is to get a symbian application certified) - this will stop startups being able to afford to release for certain hardware / platforms which can stifle innovation.
@Stephen Kelly, if my memory is still good, for standard program you only need to pay $99 and for enterprise - $299, it’s not so much.
@Aurelijus, Thanks for popping in.
Like I said, i don’t think there is any black or white answer. So I don’t believe one can say that APIs and Open Source are absolutely good (must use) or absolutely bad (must avoid).
Each and every company will need to find exactly the right mix for its product. Personally I’m a fan of Open Source. We use public algorithms for encryption and JQuery for rapid interface development. But each time a new version of these get released, we out them through the ringer before putting them into PassPack.
On Beta Testing, I think that’s a great example of finding the right balance between doing it all yourself, and looking to your users for help. Users can tell us what they think and help us find the bugs that pop up in real-world usage (not just test runs). But users aren’t actually touching the code - that’s our job. Ultimately we’re responsible.
@Stephen, certifications are a double edged sword. I’d like to think that they are there because the developers feel the need to make sure their product remains coherent, but often they are used purely as commercial tools. Again - it’s about finding the right mix.
Great discussion.