Didn’t Homejoy Shut Down?

We recently acquired the customer and service provider data from Homejoy.

We're a small team that has been focused on moving quickly while bootstraping. We tried to quickly test different approaches, but we realize now that we did so in an unclear manner. We recognize the need to use the data we acquired responsibily. As a result, we're taking the site down, and we're going to do a better job with our testing moving forward.

Now, I'm not a native english speaker, so I can't say if aarontcheung is misusing the term or not. Is this change happening to the english culture as a whole? Or am I reading way too many silicon valley articles?

* completely ripping off competitor business websites

* throwing PCI compliance and SSL encryption out the window

* generally treating our VC money purchased customers from our old firm like commodity dirt.

This one is gonna be a winner for sure.

You made a mistake, you know you made a mistake. Admit it, apologize, and move on. Your excuses or context probably aren't going to help your cause.

Are they all incorporated as the same entity, or are they all separate?

Are different founders of Homejoy working on different angles?

  3.1 Keep cardholder data storage to a minimum by implementing data retention 
      and disposal policies, procedures and processes that include at least the 
      following for all cardholder data (CHD) storage:
       Limiting data storage amount and retention time to that which is required 
         for legal, regulatory, and/or business requirements
       Specific retention requirements for cardholder data
       Processes for secure deletion of data when no longer needed
       A quarterly process for identifying and securely deleting stored cardholder 
         data that exceeds defined retention.

You might be trying to reboot your business, but your Comms didn't say that you were dealing with the same company owners. You also appear to have ripped off a competitors website.

You don't sound very trustworthy or reliable. If you can't keep to at least the PCI-DSS standards, what makes you think anyone can trust you moving forward?

Sometimes moving quickly isn't the best although most people say launch fast. Being that homejoy didn't do well,why didn't you take time to research well what you want to do next instead of copying a competitors site word for word?

Also, in the email to the person who wrote the article, you referred to flymaids as a "partner". Why not just come out and say it is your company?

Instead I genuinely hope that YC will force companies taking the 7% into a no selling on data policy; I'm not saying that is easy to write but I am saying this situation without response smears YC, something I'm sure could be avoided in future.

How does this violate PCI-DSS? The data itself is likely stored somewhere secure (who knows) – what's being displayed in the web app is the last four digits of the card and expiration date, this isn't where it's stored.

There is obviously a question of what the retention should be, but it's definitely the case that payment information can be transferred between companies.

The whole situation exudes a lack of trust, but it's not clear to me that PCI compliance is a problem here.

The requirement is that card data is securely removed when it is no longer required. They are no longer billing customers at HomeJoy as the business has been wound up, so the credit card data should have been deleted.

Also: no customer has given them any right to have their credit card billed to an entirely new entity. Credit card information should not be transferred due to sale of customer data to an entirely separate legal business entity because no contract of sale has been established between the customer and that new entity.

Which makes me wonder -- does Stripe allow entire accounts to change hands willy-nilly like this?

If Aaron can answer though, I am curious if he was planning to get back into YC with flymaids?

The snippet you pasted says also:

... regulatory, and/or business requirements

A business that is going out of business may treat this data as a business asset and may need to retain it for a certain period even when they are inactive.

Most terms of service do allow for transfer of account information to third parties, and have contingencies for what happens to the data if the company goes under, and as far as I'm aware, selling that customer data is an option unless they've explicitly said they won't.

As long as the credit card data is transferred in a PCI compliant way, it's legal.

You're absolutely right that it would be a serious violation if they were to charge someone without their knowledge, it doesn't look like that's happened yet.

It's also quite possible the underlying business entity is still Homejoy with a name change. ZenPayroll* didn't have to get people's permission to charge them when they changed their name to Gusto, but it obviously helps to communicate that change very clearly!

I am pretty sure we generally agree, though, it's very clear that there are dozens of egregiously bad things being done by Aaron and his team that can only hurt them and their desired future customers.

*I said Zenefits :( :(

That might be a good choice for a large company, as they already have lawyers on staff, can afford to pay for a lawsuit, and have enough money to advertise away the reputational stain.

I'm not sure it's a good idea for a startup, though. Unless you are well funded, just dealing with a lawsuit could be fatal given the reputational cost, the legal bills, and the amount of founder time that will get soaked up. Personally, I'd try to be human and humane about it.

The medium article only shows info you can get from a Stripe card_id request. Not using https on that page is troublesome, but I don't think there's any evidence to suggest FlyMaids (or even HomeJoy) ever had access to actual CC information.

It seems more likely that this depends on Homejoy's ToS/Privacy Policy. (Although it's certainly possible the transfer was done in a way that violates Stripe's policies, I'm just not familiar with those)

Edit: It might even be the same business entity with different d.b.a names. Good discussion here: https://news.ycombinator.com/item?id=10468161

Why not get out now, lay low for a bit, take a job, learn another industry, and then save up to try again another day?

"Processes for secure deletion of data when no longer needed"

Those dot points aren't using a disjunction, they must ALL be followed. The standard is very, very clear on that point: once you don't need the data, you securely delete it.

That makes sense, incidentally. If you no longer have the data anywhere, then nobody can get to it even if they compromise your systems and gain access to your credit card lists.

If your company winds down and you no longer bill your customers, you are absolutely required by PCI-DSS (and good security practice!) to delete that data.

As for HomeJoy being the same legal entity, that's not the way that the email sent from HomeJoy reads. It says that Fly Maids is their partner, not the same organisation.

That HomeJoy hasn't done this says to me they are cavalier with their customers data at best. I would not trust them with my credit card details, nor would I be happy letting them into my home.

When you say you're passionate about a "space" though, I think you reveal that all you're really saying is you think you can make a lot of money in that "space". Which isn't passion at all. Well, maybe passionate about making money. Which is more like at best ambition or at worst greed, not actually passion.

I hope someone at Stripe responds because this is a personal data issue.

It's bonkers to display it over an insecure connection, but I don't think that it's disallowed.

Rather than me point out exactly why what you just said was completely wrong, I suggest you download it from here:

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1....

At the very least, read requirement 4. The simple fact is that they were allowing customers to enter their credit card details and submit that data over HTTP.

Processes for secure deletion of data when no longer needed

Is "needed" defined anywhere?

As far as I can tell this requires companies to create a plan – that plan could be very different between companies.

I highly doubt Homejoy/Fly Maids is maintaining the data themselves, it's probably stored in Stripe, so unless they are actually storing credit card data in a non PCI compliant way, they are probably fine, right?

Let me restate what I think you're saying though: When they shut down Homejoy, they should have immediately deleted all the data they had stored in Stripe (or what ever payment system they use)?

"That HomeJoy hasn't done this says to me they are cavalier with their customers data at best. I would not trust them with my credit card details, nor would I be happy letting them into my home."

Totally agree, maybe let's leave it at that :)

Speechless!

I highly doubt Homejoy/Fly Maids is maintaining the data themselves, it's probably stored in Stripe, so unless they are actually storing credit card data in a non PCI compliant way, they are probably fine, right?

No, Stripe would then be violating PCI-DSS themselves.

Stripe has API calls to get the last four digits and expiration date.

Also, it's not clear that the /payments page isn't secure, the screenshot is of the Profile page.

*edit: see my reply to your other comment, didn't realize you were OP, so I will now assume you did check the payment form for security and it was not there, which is definitely even more shocking.

Bad press sucks and can be hard, it'll pass though - good to be cautious with this kind of thing in the future (which you probably will be).

I was a Homejoy customer too and don't think this is that big a deal all things considered.

You can ignore my comment about the /payments page, I'll assume you checked that, so yeah, that's insane if you can update payment information on an insecure page.

Obviously, I am a huge fan of nit picking, so it's always welcomed :)

I bought a small business from a brokerage site.

He transferred the Stripe account to me no problem. It was as simple as me making a Stripe user account and then him adding me to the account he used for the business and then me removing him.

The entire process took minutes. It took about 3 weeks for PayPal.

https://support.stripe.com/questions/change-account-owner

Stripe is very unlikely to transfer credit card data to an entirely different organisation. They also require evidence of PCI compliance before they will do business with you.

As for knowing when your business is being dissolved: I have to refer you to their terms of service, found at https://stripe.com/us/terms

You agree to give us at least 30 days prior notification of your intent to change your current product or services types, your trade name, or the manner or types of payments you accept. You agree to provide us with prompt notification if you are the subject of any voluntary or involuntary bankruptcy or insolvency petition or proceeding. You also agree to promptly notify us of any adverse change in your financial condition, any planned or anticipated liquidation or substantial change in the basic nature of your business, any transfer or sale of 25% or more of your total assets or any change in the control or ownership of you or your parent entity. You will also notify us of any judgment, writ or warrant of attachment or execution, or levy against 25% or more of your total assets not later than 3 days after you obtain knowledge of it.

You are guessing, however, that they are using Stripe or another credit card provider to store that data. But given Stripe need to handle charge backs and other things, I can't see them not knowing about HomeJoy, given how public the windup was.

It is a big deal. He copied a competitors site word for word. He has 3 other cleaning companies and it appears people who signed up with homejoy have their info. moved to these companies. Customers need to know when their data is going to be used and they have to give consent. Perhaps this fresh article will show the severity of the matter- http://www.businessinsider.com/aaron-cheung-brings-homejoy-c...

https://support.stripe.com/questions/do-i-need-to-be-pci-com...

On such terms "Passionate about" statements are almost universally crap.

There is nothing wrong with just working for the money, all this instistence people must be "passonate" about their work smells an awful lot like cultish propaganda. It not enough to do your job and get paid, you must LOVE your job!

https://www.youtube.com/watch?v=Bz2-49q6DOI

Unfortunately it sounds like the worst case for them is that enough people report them to their payment provider and they get fined. Clearly what they face there is probably not worse than the huge violation of trust their former customers will feel.

By the way thanks for digging into this so much. The Stripe TOS are darn clear here.

For me, however, the weasel-worded "we realize now that we did so in an unclear manner" is completely different than "we realize now we made a big mistake".

http://www.businessinsider.in/Dilbert-creator-Scott-Adams-il...

Kind of like a store selling its shelves as it goes out of business. May as well get money for anything that's not nailed down.

> Cleaner Connect is not an employer, but simply connects independent service professionals with customers

Your Homejoy co-founder stated lawsuits over worker misclassification were the "deciding factor" in the decision to wind Homejoy down[1]. Assuming cleanerconnect.com is indeed part of your new venture, the above suggests your "testing" involves the same flawed contracting strategy that contributed to Homejoy's demise.

2. Your email to former Homejoy customers encourages them to use a "partner" service. You fail, however, to disclose that you are actually a principal of the "partner" business. Additionally, your comment suggests that FlyMaids is not actually a partner of a company that is supposedly winding down but rather is the acquirer of certain Homejoy assets.

3. As far as I can tell, neither FlyMaids or Homeaglow were ever featured by Oprah, The New York Times, etc., yet this claim is/was being made on their sites.

4. There are multiple sites (http://www.dazzlingcleaning.com, http://www.homeaglow.com/ and http://www.flymaids.com/) that appear to be connected to your new venture. Each of their terms of service refers to Delaware corporations that don't seem to exist.

Humble advice: you might want to rethink your passion for the home service space. And make sure you have a good attorney on retainer.

[1] http://recode.net/2015/07/17/cleaning-services-startup-homej...

If they were using Stripe or similar, then they don't have access to your credit cards. Only the last four digits and expiration.

Just seems so contrived and fake to me :-\

Originally the whole site was up, then they removed the support site, then a few hours later, the entire site.

I did a paper on (sort of) this in law school. My focus was on civil law systems and I'm not claiming I'm the world's foremost expert on this topic.

With that out of the way, it's not that easy. When a company goes bankrupt, it doesn't have a say on what happens to its assets. Furthermore, a liquidator doesn't have to honor commitments made by the company. (this is also why 'software escrow' in the cheap form that is implemented so often is, imo, legally on shaky ground - this was the actual topic of my paper).

So what are the options? One is to put the 'ownership' of customer data (what that means exactly is a whole discussion in itself) into a separate company. But that company can't be owned by the 'real' company, it's tricky in many way. And costly. And makes things (very) difficult, operationally. And it takes away the ownership of a critical asset, making it near impossible to get investment (because who will invest in a company that doesn't 'own' its customer data?) Etc. I don't think anyone follows through on their claims of being 'careful with customer data' to this extent, but then again, of course I don't know the operations of every company in the world.

Basically, once you are in a database of a company, and if that database is worth anything, you are up shit creek when that company goes bust - good intentions and promises do not matter one bit. A new guy comes in who doesn't care about his 'reputation' in the field the company was in, who has a legal duty to get the highest price for any assets, and who is not bound by anything the company did or said. It doesn't take a law degree to figure out how that works out for the 'privacy' of the (former) users/customers.

That's all you really need to know about FlyMaids and Homejoy. If I ran a startup into the ground I would never ever betray my customers by selling their data!

When you run a business into the ground, some decisions about what you sell get taken over by courts, at the direction of your creditors.

When you trust your data with a company, you're not just trusting its ethics, you're trusting its long term viability too.

This is true, but a lot of this "story" still seems strange, especially in light of the fact that all of the sites that appear to be associated with Cheung's new venture have been taken offline.

There are a number of well-funded players in this space, some of which might have an interest in acquiring Homejoy's data. How did the twenty-something co-founder of the failed business come to acquire the data? Did outside investors provide funding for the new venture and its acquisition of the data? Were any of those investors also investors in Homejoy? Why weren't former Homejoy customers simply informed that another company had acquired their information in an honest, transparent fashion (the way most companies handle transactions of this nature)?

It's worth pointing out that the email Cheung sent to former Homejoy customers about FlyMaids stated that FlyMaids "work[s] with Homejoy's best cleaners."

If that is true, it would appear this new venture is essentially just Homejoy reincarnated, begging questions about Homejoy's liabilities. Assuming the lawsuits against Homejoy haven't settled, I'd imagine the attorneys behind those lawsuits might have an interest in what's going on.

Such as 'Add your specific cleaning instructions and pay securely online by debit or credit card. No cash, no fuss.'

Which prompted https://mopp.com this time, but also willowmaids and urbahome. This is getting beyond ridiculous haha.

I'm starting to wonder if this isn't just the lorum ipsum of cleaning websites.

Thank you. I asked the same question below and got some downvotes for it. Falsifying things like that is a big sham. I see on homeaglow, the company claims more features on Rachels (whatever that is).

Perhaps a lame attempt to corner the market? Not sure how well that would work out with the exact same content - google punishes such things.

Any time you use last-4 as something secure, you're doing it wrong.

As mentioned above, last-4 is sent by email frequently, and email passes, unencrypted, through intermediate servers all over the Internet. Any compromised host can observe all of the email that passes through it.

Any process that uses last-4 to unlock a password or otherwise as a secure token is broken by design.

On the other hand, I think that proprietarily-generated data would be fair game if anonymized. A massive data set showing how people's usage of a given service varies based on age, geography, type of phone, whatever -- I think selling that to a third party would be morally and ethically defensible. [0]

There are likely a lot of edge cases here (the LinkedIn example above might be one), and it's an interesting topic. With all that said, recycling all of Homejoy's users' account info into a new enterprise without their explicit consent seems pretty plainly wrong to me.

Prediction: the fact that there's still no word from @sama or @paul probably means that they're working hard to provide a clear and decisive written response to this incident -- probably one that amounts to a new YC policy of some sort.

[0]: IANAL and not sure whether the possibility of an eventual sale of such user-generated data would need to be mentioned in the service's T&Cs from the get-go.

How did you get my information? We acquired Homejoy’s domain and customer information through an ABC process. Our intention is to improve and then relaunch Homejoy’s cleaning service. We were testing a new model using Fly Maids, one of our testing brands. As evidenced today, we made some mistakes.

Why is your email and website so misleading? When we contacted customers, we didn’t tell them we were Homejoy relaunching because we wanted to gauge reception to our new model without the influence of Homejoy’s brand.

As a result, we scared many customers, who expected the worst had happened to their data. We should have told customers upfront who we were, what we were testing, and used original content.

Do you have my credit card info? No, as of Oct 28 2015, we deleted all credit card info, including the last 4 digits. Also, the Homejoy Stripe account has been permanently shut down so no one can get access to it in any manner.

At no point did we ever charge a Homejoy customer’s credit card.

How do I delete my account information to ensure that it is not used in any way? Please go here http://goo.gl/forms/YPdJlYJ9Pn

You can't write that off as simply being an honest mistake or testing new ideas.

You went to college. That's plagiarism.

https://cdn-images-1.medium.com/max/1600/1*dLlQGvWTeMTB7PT_n...

Good luck.

It's at the very least dishonest if not of questionable legality to shut down your old company to try to avoid lawsuits and / or debts, start a new company and sell yourself your old assets. I really hope that isn't what you're doing / did. Because that would be pretty low-brow kind of stuff.

Aaron Cheung, I would appreciate it if you didn't taint YC's brand with your questionable business practices.

1. You now acknowledge you intentionally lied to customers by saying you were redirecting them to a "partner", but it's the same company under a different name.

2. You don't hold that data under a payment provider like Stripe, and yet you claim to have PCI-DSS compliance but are violating it and risking a lot of customer credit card data!

You now say you have deleted that data, but how are we meant to believe you? Where was that data stored? Locally or with Stripe? Why didn't you encrypt it?

How did you "acquire Homejoy’s domain and customer information through an ABC process"? How does that even work?!

It's not a question of what I use those digits for, it's a question of what everyone else uses them for.

To me, this sounds like "As founder, I had access to all of Homejoy's data, so I just took it with me."

You could say the same about bigger "success" stories (let's say Airbnb). They're actively ignoring laws that make their business look better. Regardless of how you feel about whether the laws are just or not, how does that reflect on YC to have one of their biggest success stories blatantly ignoring laws?

That aside, if we assume the data was acquired appropriately, it makes the questionable behavior[1] all the more baffling.

[1] https://news.ycombinator.com/item?id=10468700

Maybe, _maybe_, for offline testing with small focus groups. But even then, what's the point? You could just show them the competitor site and ask what the dis/like..

Why? Because the two thing you need to run a professional housecleaning service are access to people's houses and their credit card numbers. Maintaining this access demands far more judgement, care, and integrity than Aaron Cheung is ever likely to have.

Not defending the rest of the site. Just pointing out what I felt was not a problem. There are plenty of problems to go around, though.

Also make it legally solid enough that even if there was a lawsuit, the cost of the lawsuit would be higher than the worth of the data.

"i can't be 100% sure but i think people choose to work here because they believe homejoy is not just another cool startup; it’s a mission; it's a passion. we're building things that enable and will change the way people live and work. this is not an overnight venture; we know it'll take a long time, and we’re all committed to it."

Yeah, that's not miopic, self-important and delusional at all.