Dropbox, the popular cloud storage system that lets people drag files to an icon that puts that data in the cloud and sync new versions across multiple devices (see “Hiding All the Complexities of Remote File Storage Behind a Small Blue Box”), recently got $250 million in new funding, giving it a $10 billion valuation.
The startup now has more than 200 million users, and also some problems: a prying National Security Agency, evidence that its “synching” technology can serve as a vector for malware, and—on a more prosaic note—finding enough engineers to pace growth.
Drew Houston, the company’s 30-year-old CEO and cofounder, recently discussed the company’s trajectory at an event hosted and organized by the Cambridge, Massachusetts, branch of the MIT Enterprise Forum, the technology entrepreneurship community arm of MIT Technology Review.
Houston spoke with Jason Pontin, the editor-in-chief and publisher of MIT Technology Review and chairman of the Forum. Below are edited excerpts from their conversation; a video of the complete event can be found here.
Dropbox filed a legal brief asking for permission to report national security requests for user data. Why? What have you learned this year, and the previous year, about how the U.S. intelligence community treats cloud companies like yours?
I think everybody understands that there’s a trade-off between security and privacy. I think we all want the government to keep us safe, from all kinds of bad things that could happen, but we can’t just have the government kind of running around listening to everything or be able to run surveillance on everything that happens.
There’s a trade-off, and the right answer is somewhere in the middle. But the way we’re learning about everything that’s going on, I’m sure, was shocking to everyone in this room in the last year. I think the government could have done a lot better job, having kind of an adult conversation, not having everything about this being so shrouded in secrecy.
As a CEO/founder, you must feel—forgive me—mildly screwed. You knew what was going on, yet there was a gag order about what you could communicate. And now the government’s authority to demand user data has been revealed, and to your customers you can’t promise the same degree of privacy and security that perhaps you would like.
We’re allowed, for example, on our website, to disclose how many people [a request from law enforcement] affects; or when there’s an inquiry, how many of the inquiries did we accept; and which did we push back on and reject; and how many accounts did that cover.
What you find is maybe tens of people, out of hundreds of millions of users, affected by this. We’re pushing for transparency there.
For those of you who bothered to go through the NSA’s PRISM files that Edward Snowden released, there was a famous PowerPoint slide that said: “Dropbox, coming soon.” You have just called for the NSA to be more transparent and so I’d call upon you to be as transparent as you can. Tell us what you have been required to hand over.
Well, that was the first time I ever heard about that. I’ve never actually talked to anyone from the NSA. There was a group of us [technology executives] who visited President Obama to talk about this stuff, and PRISM was just one thing, there were all these other reports—Google and other companies getting hacked into—and so yeah, it was pretty shocking. It’s frustrating all around. It’s not fun to sort of wake up and hear that these things are happening. All my stuff is in Dropbox, too. I don’t want anyone else looking at it. We care about these things.
What methods have you found to be the most successful for engaging software engineers who are not on the market? How do you recruit people already firmly fixed in a company?
Very good people, whether engineers or otherwise, are almost never looking for a job. And there’s always some reason why like now is not the right time, or they just started something, or started a new job. There are usually a hundred reasons to say no to even considering something new.
And so that’s where we think about techniques to get around that. Really it’s just staying on people. First you have to keep inventory of the best people you or your team has ever worked with. You don’t just hand them an offer letter and say “Just quit your job right now,” and you don’t just say, “Hey, will you interview?” because they’re just going to be like—“I feel weird,” because they’re not looking for another job. That’d be a strange next step to take.
But you bring them into your orbit, right? You have them swing by the office for drinks, do various things, and you introduce them to the company, and you sort of tastefully educate them on everything that’s going on in the company.
There’s a bunch of reasons we are excited about what we’re doing, and after we explain it to them, it’s pretty easy to get other people excited, too.
A question about malware. The syncing that you do is kind of marvelous and seamless and looks like magic. But it also can sync malware. Is there any way technically to stop that from happening?
We’re big believers in, like, “Do your thing really well.” There are a lot of great antivirus and antimalware tools out there. And most people are already using their favorite one. I think it’d be asking a lot to like foist something [on them]. So we kind of stuck to our knitting as far as that.
I think that’s also a challenge that’s not really native to Dropbox. Through Gmail you can also send bad stuff, or through Web browsing or through a thumb drive. There’s a whole bunch of different channels, so I don’t think Dropbox is unusual in that regard.
So, “Stick to your knitting.” Someone else’s problem.
There are a lot of good companies that solve that problem well.