SpiderOak: The Online Backup and Sharing Service Where Privacy Counts
When it comes to putting your data in the cloud, the options seem to fall into two familiar groups. There are services like Carbonite and Mozy for backing up individual computers, and then there are services like Dropbox or Box for accessing or synchronizing files across many computers.
But maybe that isn’t all there is. Lately I’ve been learning about a company that straddles these definitions in some interesting ways. It’s called SpiderOak, and in addition to being a category-buster, it’s also got an intriguing history that combines a mania for privacy with extreme capital efficiency (the company’s total backing of $900,000 is a tiny fraction of what its competitors have raised).
Aimed mainly at advanced consumers—but with a growing user base inside large enterprises—SpiderOak backs up users’ data across all of their computers (Mac, Windows, and Linux). It charges according to the amount of storage used: the first 100 gigabytes costs $10 per month or $100 per year, and each additional 100 gigabytes costs another $100.
That’s in contrast to Carbonite and Mozy, which charge $59 to $72 per year to back up one computer, and another $24 to $56 per year for every additional machine. In other words, if you’re only backing up one machine, Carbonite and Mozy might be more economical, but if you need to back up two or more computers and your total storage is under 100 gigabytes, SpiderOak is cheaper.
SpiderOak also offers a Box- or Dropbox-like synchronization service. Designated folders can be kept in sync and shared across any combination of personal machines, as long as they’re attached to a single user account. (There’s another sharing option for large companies with lots of accounts.) The company calls its combination of backup and sync “living the CloudLife.”
“In my mind we are building a central repository” for data, says SpiderOak CEO Ethan Oberman. “The idea was to build a mini-network that revolves around an individual, as opposed to these standalone accounts for individual machines with the online backup companies.”
At the same time, SpiderOak puts a high priority on privacy. Oberman says the company “wanted to dispel this myth that just because your data is online, it can’t be private.”
The problem with synchronization and collaboration services like Box and Dropbox, Oberman says, is that before they can know that a file has changed (and that it therefore needs to be incrementally updated in the cloud), their servers need to know what’s in it. This means customer data must be stored in plaintext form. To Spider Oak, that’s anathema.
In fact, the company has what it calls a “zero knowledge” approach to privacy: all files are encrypted on a user’s computer before they’re uploaded to SpiderOak’s data centers. Only the user has possession of the passwords and encryption keys. That means SpiderOak can’t reveal users’ private data, even when law-enforcement agencies come calling. It also means the company isn’t vulnerable to the kind of snafu that left every file in every Dropbox account unlocked for about 4 hours one Sunday in June 2011.
“It doesn’t seem logical that data should be made public for any reason,” says Oberman. “Passwords are never transmitted to our servers. They are big dumb boxes, and even if we were trying to do something [nefarious] we couldn’t. That is how we keep the zero-knowledge privacy environment intact.”
Oberman admits that SpiderOak’s unusual combination of features has made it a “hard sell.” The startup doesn’t really like to be lumped in with either the backup companies or the synchronization companies, which means customers don’t always know what to make of it. And its emphasis on privacy may resonate with programmers and other tech-savvy users, but it’s not necessarily a big selling point for average consumers, who seem happy to use easily guessed passwords and to share all the personal details of their lives on Facebook.
But Oberman says SpiderOak has built up a rabid following among developers and other geeks, and that this same group is now helping the startup get a foothold in the corporate world. “Our customers have traditionally been very tech-oriented,” Oberman says. “They appreciated our Linux support, and we do a lot of open source things, and as a result we developed a cultish following. When somebody at a large company says, ‘Look, we can’t have our employees using all these third-party services, what companies do you guys like that does things in a private way?,’ a lot of these techie guys were already using SpiderOak, so they’d say ‘Why don’t you give them a call.’ It wound up being a grassroots way to grow our enterprise business.”
Growth at SpiderOak’s competitors has been anything but grassroots. Box has raised an astronomical $284 million from a Who’s Who of Sand Hill Road investors, and Dropbox has raised almost as much—$257 million. Carbonite went public in 2011, raising $62.5 million, and Mozy is owned by deep-pocketed parent EMC. SpiderOak’s ability to get traction with Fortune 500 customers on only $900,000 in angel capital is a testament, in part, to the company’s frugality. It’s got 27 employees, but it doesn’t have an office—Oberman is in San Francisco, and the rest of the team is scattered across the Chicago area, Kansas City, Seattle, and Bulgaria.
There’s also a rugged-independence aspect to the story. “For us, the goal was always to be self-sufficient,” says Oberman, who co-founded the company in Chicago 2007 with Alan Fairless. “We were always in the mentality that we should drive toward controlling our own destiny. We like to have a say about what we do, and we make decisions about raising money that are directly in line with that. That also allowed us to be a little more patient and wait and see where the market was going, as opposed to over pushing into one area and then realizing it wasn’t the right one.”
Then there’s the company’s hidden weapon. “Every company needs one or two secret advantages to really make it work,” Oberman says. “For us that advantage was that my father’s company has owned and operated a data center since the early 1980s.”
The Northbrook, IL-based company is Omeda Communications. (The name is an acronym for Oberman: Matt, Ethan, Daniel, Aaron, a reference to the four brothers in the family.) The company offers a range of marketing-related IT services, including database-heavy applications like e-mail marketing, and it’s where Oberman had his first real job after stints in filmmaking, shooting commercials, and furniture making. (It’s also where he met Fairless, who’s now chief technology officer.) Oberman says SpiderOak is able to store data at the Omeda facility at below-market rates, which meant it didn’t have to build its own data centers or outsource the job to cloud services such as Amazon S3.
The company claims that it has suffered zero downtime, and that the fault-tolerant architecture of its own backup systems means that it can never lose a piece of customer data. So if you’re in need of storage and synchronization help and you’re interested in reliability and privacy, SpiderOak sounds like an option worth checking out. But one capability where the company lags, Oberman admits, is mobile. The company doesn’t yet offer customers an easy way to access their stored data from their smartphones or tablet devices.
“I’ve never claimed to get everything right the first time around and sometimes not even the second time, and mobile is the one area that we kind of screwed up,” Oberman says. The startup didn’t anticipate that mobile devices would become such important conduits to business data, he says, and its first mobile interface was something quick and dirty that didn’t serve users’ needs. But the company’s programmers are working on an HTML5-based interface that will run in smartphone and tablet browsers, and might even replace the company’s existing downloadable client program for Macs, Windows machines, and Linux machines.
As a result of its privacy focus, the company also falls a bit short when it comes to collaboration. In the consumer version of the service, users can give family members or friends access to specific folders within their accounts by sending them a special password for that folder only. But that approach wouldn’t work across an organization, so Fairless developed a “collaboration virtual machine” that sits behind a company firewall and has access to plaintext versions of files in multiple accounts. The virtual machine encrypts all data before sending it to SpiderOak, so the company maintains its zero-knowledge policy.
The company also sells a private-cloud version of its entire software stack, for corporate customers who want to handle their own storage. Licenses cost $5 per user per month, and it’s nearly all profit, since the company doesn’t have to invest in infrastructure for these accounts.
SpiderOak has “enough revenue coming in that we can self-fund and we don’t need to raise money,” Oberman says. But with the possible exception of Dropbox, there isn’t a company in the online storage and synchronization market that has gotten really big without dropping a lot of money on marketing—so no one would blame Spider Oak for exchanging a little bit of control for a little bit of capital.
After all, as Oberman himself points out, “we’re the only major company competing in this space that has raised less than $70 milion.” That’s a good place to be in—unless it limits your options. Whatever happens, look for SpiderOak to do the unexpected.