Few minutes ago I found out that Kickstarter was hacked, and user information was exposed. It’s not the first time a popular site gets hacked (and it won’t be the last, for sure), the interesting part however is why did that happen and what would be the right path for a service like this to handle the data protection layer for its users. That’s how I see the three layers of trust/responsibility relationship in that combo:
There are other interpretations and possible role assignments, but let’s stick with that for a bit.
Let’s apply that Kickstarter example to another web project, or car maintenance, or accounting. So, we find a site that requires us to create an account, or our car is broken and we’re looking for someone to fix it. If you’re not experienced in web (or automobiles) you’re likely to register to that site or get your car fixed by that guy you found driving by his place.
There are different ways this story goes, but in essence – the service would be good or bad, cheap or expensive, professional or low-cost. And what happens when the site is hacked or your car is actually broken after the service? Well, your data is leaked and you’re likely to stay on the highway waiting for the road assistance to back you up in the middle of the night (it might get much worse so it’s a pretty positive outcome). Therefore trusting the vendor means that you invest a lot in that service, and picking the wrong vendor (or trying to get cheap) might get you in so much trouble. Imagine looking for the cheapest doctor for your surgery.
So, we’re the accounting agency that takes care of the taxes and everything for a client, or the dev studio building a given project. Disclaimer: for me this is the most interesting participant in that use case scenario that we’re looking at. Why? Well, because in my experience most countries keep the accounting agencies or dev studios safe when it comes to responsibility. You can try and sue the IT company for getting hacked, but there are so many layers of possible vulnerabilities (your own actions and requirements in the contract, or social engineering attack, or the server setup of a 3rd party provider, etc) or you, as a client, could be hiding details from your accountant on purpose, therefore failing to find the best and most loyal contractor for that thing could lead to drastic consequences.
On the other hand, if you’re a contractor, you’re either a pro in what you do, or you’re mediocre. There’s nothing necessarily wrong with being mediocre, since according to the PM triangle that I like to mention here and there one of the possible outcomes is a client that is willing to sacrifice the quality or features for the sake of the cost. For example, buying a laptop for your 7-year old daughter would be less picky compared to choosing your own notebook that earns your paycheck. It depends on your requirements.
Another interesting scenario is – what if you’re an expert but your sales and marketing suck and the gigs are not enough? And a client is willing to pay you for a few months but not as much so that you could take care of the code quality, or security, or performance? It’s probably easy to say “I’m not going to do that ever” but in practice taking care of your wife and baby might prevail over a crazy project or two that put food on the table.
Speaking about requirements and my WordPress pricing strategy as well, most clients out there try to find cost-effective solutions, often non-realistic (I’ve had a few examples of “I want a Twitter clone for $200” or “I want Facebook with everything (walls, galleries etc) for bands (MySpace) and the entire Last.fm inside too for $15K”). However, clients can’t always assess the cost of a project, or evaluate the time and effort put into scaling a new site or implementing a state of the art security for a starting project.
The conflict goes on when a client is looking for a cost-effective solution to bootstrap an idea and generally get successful with the MVP without making sure that part of the investment usually goes for improving the product.
Getting back to the accounting example, we have lots of restrictions locally for selling online products, related to outdated requirements from the tax agency. My accountant explained those issues in details, pointing to the articles from the commerce law here, and their definitions. I don’t take advantage of some ideas of mine due to said legal reasons, however several accountants were trying to convince me that it’s fine and they could “find a way” to solve those problems for me. I’ve however spent enough time on that and if I get caught with their “workarounds”, I’d pay massive fees and probably get sued too. They won’t be touched by the law though, as it’s my responsibility to find the best service for my business.
Back to Kickstarter
That separation of responsibilities could get us back to Kickstarter, and the common problems there. In a three-tier case as the ones above (ignoring the specific news), the middle tier is the real producer. It’s the doctor at the hospital, or the toy factory for a toy chain store, or the manufacturer of computer components. The victims of failing to accomplish a goal with a high quality however are the users and the employer.
Are we to blame the contractor (the middle-tier) then? Not really. Putting a service on the market doesn’t mean that you’ll get clients. If the employer (the company CEO or the company outsourcing a service to another company) has picked that contractor, they should stick with the consequences. Either way, most attacks happen when a site/service gets popular, which means that the users support what the employer sells. So if there were no users, there would have been no problem. And that’s where our business circles goes on and on.