At a recent StrictlyVC event in San Francisco, I sat down with Confide co-founder and president Jon Brod to talk with him about his decidedly topsy-turvy 2017. Though his three-year-old messaging app was the belle of the ball at the start of the year — Wired, The Washington Post and Axios were among others to note it was a hit with frustrated White House staffers — its positive momentum was abruptly thwarted by security researchers who published a report saying the app wasn’t living up to its claims.
It was subsequently reported that Confide had quickly addressed those vulnerabilities. Yet roughly one month later, a separate lawsuit followed, claiming that another of its features isn’t foolproof.
Brod and I discussed that ongoing case. He also talked about the app’s future, which will likely include video (assuming Confide can shake off that suit first). More from our chat below, edited for length.
TC: You worked for the NBA, for Ask Jeeves, for IAC, then you spent four years at AOL, including as the co-founder of AOL Ventures. How did you wind up running a secure messaging app company?
JB: I’d spent four years at AOL in various executive positions. I was going to leave and, serendipitously, Howard Lerman, who’s also the founder and CEO of [the newly public company] Yext, emailed me about wanting to hire someone who used to work with me at AOL. It took many missed phone calls and traded emails before we connected six days later [because we didn’t want to discuss anything sensitive online], and that was sort of the “aha” moment for Confide. So we gathered up some engineers, prototyped Confide, and started the company.
TC: How much funding have you raised?
JB: We initially raised just less than $2 million, including from SV Angel, [investor] David Tisch, GV, [Yelp CEO] Jeremy Stoppelman, WTI and First Round Capital, among others. A year ago, we closed a $1.5 million seed extension round, so [it’s] $3.4 million all in.
TC: How many people use Confide?
JB: You know I’m not going to tell you that. [Laughs.] We don’t give out user numbers, but also, as a confidential messenger service, we actually can’t track a ton of stuff. Almost everything we track is in aggregate and anonymous.
TC: I love Confide, but I turn to it for very specific use cases. On average, how often do people open the app?
JB: There’s this cohort for whom [Confide] is what they use as their everyday [messaging service] and the [daily and monthly active users] on that is fantastic. Then there are people, I guess like you, that, when there are confidential sensitive things, you use Confide, and you use other messenger platforms and email [for other communications]. I use iMessenger all the time, but when it comes to sensitive material, I mean, you’re insane if you’re still using regular text and email.
TC: Speaking of leaks, you had some amazing press earlier this year, with a number of accounts about all the unhappy White House staffers who use Confide. Were you aware that it had taken off in Washington or did you see it in the news?
JB: Here’s how that went down: I got a Confide message in December from a former high school classmate, and he said, “Did you know a lot of Trump’s transition team is using Confide?” And I said, “No, how do you know?” And he said, “They’re contacting me on Confide.”
Not long after, Axios reached out to me and said, “We’re on Confide and we’re noticing a stream of GOP political operatives coming on to the system and we’d love to talk with you about it.” So I do that interview, [Axios co-founder] Mike Allen runs it in his daily newsletter, and everyone starts calling us.
Not long after, I’m sitting at home one weekend and watching the numbers as all CEOs do, and I see we get to the next stratosphere [in terms of users]. Something is going on. So I start searching for Confide and see that Politico has written a story that [White House Press Secretary] Sean Spicer had called a meeting at the White House with all of his lawyers and all the White House staff and it was a phone-check meeting. And he apparently said, “Everyone, take out your phones and if you have Confide on your phone, that’s a problem.” And he said, “Just so know this is a widespread policy, I’m even going to delete Confide from my phone.” So that was the number one story on CNN and Google News and that was pretty extraordinary.
TC: I believe Spicer also warned them that disappearing text messages involving anything government-related was a violation of the Federal Records Act. Did you hear from the White House about this?
JB: No, we haven’t been contacted by the White House, but you raise an interesting point that also receives a lot of press attention, which is the legality of this. My position is pretty straightforward: There are certain people in certain industries for whom certain communications are regulated — maybe FINRA in financial services or the Federal Records Act if you’re a member of the executive branch of the government.
If you’re regulated, please use Confide in a way that complies with that regulation, just as you would any other communication device.
TC: So there’s all this excitement around Confide. But as your profile is rising, security researchers are following you more closely and by mid-February, you’re slammed in the press by one team that says there are holes in the app. In layman’s terms, what exactly happened, and how did you resolve it?
JB: A security research firm comes and tries to find vulnerabilities in Confide. We’re able to detect them coming and are able to fix most of their issues in real time. There are some that we can’t, and they notify us, and then through a responsible disclosure — which is generally how these work with security firms — they give us a little time to fix the problems. We fix them incredibly quickly. Then they go out and publicize their research paper.
Importantly, no Confide user was impacted throughout any of this. We made all the changes, and that’s what happened.
TC: One concern of a colleague of mine at TechCrunch, our security reporter, Kate, is your use of the label “military grade” in marketing the app. What does that mean?
JB: It’s hard to describe encryption and security, so we use terms that give people a general sense [of what it means], and “military grade” is one of those terms that we use. Basically, this is end-to-end encryption, and what that means is that as soon as you hit “send” on a message, it gets encrypted, and the only thing that can decrypt that message is a unique key that is generated on and never leaves the device of the recipient. Then once the message sort of detects that key, it gets decrypted. That’s what we mean by end-to-end, or military grade, encryption.
But then after we decrypt something, we go another step. After we decrypt a message, there’s an ephemeral component. So once you read a message, you hit “close” or “reply,” and the message is gone forever. We delete it from our servers and wipe it from the phone. We also have screenshot protection; we’ve gone to great lengths to prevent screenshots, because they’re the enemy of the disappearing. So fundamentally, we’re trying to take the privacy of the spoken word and we’re trying to port that to the convenience of digital communication.
TC: Before we get into this screenshot protection, another feature of your technology that concerns Kate is why you’ve created your own code, rather than use tried-and-tested protocols. Relatedly, she mentioned that because Confide’s encryption protocol hasn’t been publicly tested and hacked and audited to ensure that it’s strong, it could be hard for you to sell to enterprises. Wickr went public with its own code in February for that same reason.
JB: So open source is kind of a double-edged sword. In one respect, you put the playbook out there, which gives people increased confidence. On the other hand, it creates vulnerabilities, particularly around the ephemerality and the screenshot protection. So to this point, we’ve elected not to open source our code; it’s the same philosophy that some other end-to-end encrypted messengers have, like iMessage. But it’s something we continuously discuss and we’ll continue to evaluate.
TC: Do you want to go after enterprises eventually? Is that where the money is?
JB: Our business is really good right now and it’s focused on the consumer; it’s a freemium model. In-app subscriptions is the greatest business model that I don’t think enough entrepreneurs fully understand or appreciate. So that’s where our focus is. We do have an enterprise solution. After the Sony hacks, we received a number of inbound inquiries from businesses; we built a solution for them. We have customers. But the freemium model is really our focus.
TC: You’ve mentioned your screenshot protection a couple of times. But you’re facing a recently filed class action lawsuit that alleges it doesn’t work as advertised, and the former customer who is suing you is represented by a law firm known for its scorched-earth tactics. In fact, Y Combinator president Sam Altman has characterized the firm’s founder as a “leech tarted up as a freedom fighter.”
JB: I can’t comment on the lawsuit other than to say it’s completely unfounded and meritless. It’s equivalent to a shakedown. This is what this [law firm] does; it goes after high-flying and other tech companies. This will get thrown out of court rather quickly, and I look forward to that day.
TC: What’s on the roadmap? You sent me a text earlier today with an emoji, which is the first time I’ve seen that on Confide.
JB: We do have stickers as part of Confide plus, which also includes unlimited attachments and photos and all of that. We’re about to launch an iPad app, which is going to be great; it’s one of the top things our customers are asking us for.
We’re also playing around with video, which is something else we’ve been asked for a lot. We think it’s super interesting, and we’re playing around with screenshot protection on video and hoping to do something innovative and interesting there.
TC: Is illicit material being sent over your platform a concern?
JB: That’s really tricky. The short answer is that anything illicit and illegal is obviously against our terms of service and privacy policy. The challenge is that these are encrypted messages; we couldn’t read them if we wanted to. So that’s not something we’ve encountered; it would present an interesting challenge for us.
Photos by Dani Padgett.