If you are a big consumer-facing company and you store data on an external server, and someone breaks into that server and accesses personal information about millions of your customers, then that is usually called “hacking,” and it is a big deal, and “a patchwork of state and federal laws require companies to alert people and government agencies when sensitive data breaches occur.” On the other hand, if one of your employees logs into that server and accesses that information, that is just something that happens every day in the ordinary course of business and is not a problem at all.
I suppose there is a synthesis of these two ideas: If some stranger comes to you and says “I have broken into your server and stolen data about millions of your customers, but I’ll give it back and walk away quietly for $100,000” … wouldn’t it be tempting to say “oh hey thanks you work for us now, with a start date effective as of two weeks ago, good job enhancing our security systems, here’s a $100,000 bonus”? Problem solved! It wasn’t a data breach, it was a security exercise conducted by a consultant you paid for.
I mean, I don’t really know what Uber Technologies Inc.’s former chief security officer — a former federal prosecutor! — was thinking when he agreed to pay off hackers without alerting regulators or customers or, apparently, Uber’s chief legal officer. But he is gone now, and Uber has some egg on the egg that was covering the egg on top of all the other egg all over its face:
Compromised data from the October 2016 attack included names, email addresses and phone numbers of 50 million Uber riders around the world, the company told Bloomberg on Tuesday. The personal information of about 7 million drivers was accessed as well, including some 600,000 U.S. driver’s license numbers. No Social Security numbers, credit card information, trip location details or other data were taken, Uber said.
At the time of the incident, Uber was negotiating with U.S. regulators investigating separate claims of privacy violations. Uber now says it had a legal obligation to report the hack to regulators and to drivers whose license numbers were taken. Instead, the company paid hackers to delete the data and keep the breach quiet.
“None of this should have happened, and I will not make excuses for it,” wrote Uber’s new chief executive officer, Dara Khosrowshahi, in a pretty good summation of the last few years of Uber. I assume that when Khosrowshahi types an “n” on his phone it auto-fills “_one of this should have happened, and I will not make excuses for it.” I expect his letter to investors in Uber’s inevitable initial public offering prospectus will begin “None of this should have happened, and I will not make excuses for it.” Uber’s a cappella group should call itself “Tone and Pitch Should Have Happened, and I Will Not Make Excuses for It.”
It’s … just … Uber, man, come on. “It is one thing after another,” I would say, except that they all seem to have happened at the same time. If it’s not undisclosed hacking it’s sexual harassment; if it’s not theft of trade secrets it’s hiding from law enforcement.
What is Uber? Why is it a $70-billion-or-whatever company? You could tell a bunch of stories — it is an app company, a taxi company, a driverless-car company — but one possibility is that it is a regulatory-evasion company. Local regulations around the world entrenched taxi companies and allowed them to capture excess value, and Uber’s central innovation was not building an app or developing a surge-pricing algorithm but simply saying “what if we took that value instead?” In 2017 it spends a lot of time lobbying and buttering up local governments so that they don’t ban it, but earlier on the process was simpler: It would just ignore the local regulations and hope no one would stop it. That worked really well! Not flawlessly, not permanently, not at scale — that’s why it has now pivoted to lobbying and buttering-up — but well enough to get Uber to this point, the point where its lobbying and buttering-up can work.
I am a finance guy, and I think a lot about “regulatory arbitrage” as a source of value, and it seems to me that a lot of Uber’s value comes from a form of regulatory arbitrage. But it is not the form of regulatory arbitrage that I am familiar with, where you carefully analyze the rules in order to build products that get the best possible treatment under different regulatory regimes. It is more just “hey a good arbitrage would be to ignore these regulations.” If that is the core idea that made your company successful, it is going to pervade a lot of your decisions, not just the ones about taxi licensing. And it’s going to be hard to pivot away from it.
I want you to imagine a time, in the not-too-distant future, where the following things have happened (in this order):
Bitcoin futures have started trading on the CME Group Inc.’s futures exchange, which they are scheduled to do by next month.
JPMorgan Chase & Co. has offered its institutional trading customers access to the bitcoin futures contract through its futures brokerage, as it is contemplating doing.
Everyone has decided that bitcoin is dumb and its price has collapsed, as JPMorgan Chief Executive Officer Jamie Dimon has said it will.
I do not want to speculate on the likelihood of these events. (Well, #1 seems pretty much inevitable, and I would bet on #2 myself, but you’re on your own on #3.) But you will concede that they are all at least possible. My questions are: Will the customers who lose money on bitcoin futures sue JPMorgan for letting them buy them? Will their legal briefs say “JPMorgan knew bitcoin was a fraud, and in fact its CEO said so, but JPMorgan nonetheless pushed bitcoin futures on customers”? Will there be congressional hearings? Will Dimon be called to testify? Will senators ask him why he sold bitcoins to clients after saying that people who buy bitcoins are “stupid”? Will he say:
What clients are buying … is they are buying an exposure. The thing that we are selling to them is supposed to give them the risk they want. They are not coming to us to represent what our views are. They probably, the institutional clients we have, wouldn’t care what our views are, they shouldn’t care.
That did not go over especially well in the Senate in 2010, when Goldman Sachs Group Inc. CEO Lloyd Blankfein actually said it about the mortgage bonds that his bank sold in the lead-up to the financial crisis. Nonetheless it was true then, and it is true now, and it will be true in my imagined future. If you are buying bitcoin futures from JPMorgan it is because you want exposure to bitcoin. The fact that Jamie Dimon doesn’t want exposure to bitcoin may or may not be an interesting data point for you, but it is surely not dispositive. He has no inside information about bitcoin. Since Jamie Dimon announced that bitcoin was a fraud and will collapse, its price has almost doubled. He might still be right, but even if he is, you could have had a nice profit on a tactical trade since his announcement.
Bitcoin Ends Year at $10,000, Says Mike Novogratz
There is a notion, popular in some circles, that the point of an investment bank is to sell people securities that will go up: that it has a duty to its customers to carefully curate its product offerings and sell them only the stuff that it personally believes in. This is not the point of an investment bank. JPMorgan sits between people who want to buy a thing and people who want to sell the thing, and it intermediates their trades. Diversity of opinion — some people think the thing will go up, others think it will go down — is what makes a market. If JPMorgan could only trade with clients after satisfying itself that they are right, it would never do any trades.