Again, this has never been in question. What VCs do require are one of the following three things, and we need to be completely clear on this for this discussion to even work:
- Acquisition by a larger company
- IPO
- Their investment to be repaid (e.g. via a share buyout)
I am arguing that any company that has not yet done one of these three things must not be recommended, because we do in fact know that they must do one of those three things eventually. Once they do one of those three things, then we can decide whether they should be recommended. It’s a matter of waiting.
Anyways…
Let me write out the full criteria in my mind which IMO address your concerns (this would be added to, e.g. General Criteria - Privacy Guides or something):
Business Model: We only recommend tools which have the potential to last in the long term. This means that companies beholden to shareholder profits over their founders or customers are generally barred from being recommended, such as VC-backed or (in some jurisdictions) publicly traded companies. Exceptions may be made in limited circumstances:
For software:
- If existing open-source, community-run implementations surrounding the software exists.
- For example: Vaultwarden with Bitwarden, Conduit/FluffyChat with Matrix, Headscale with Tailscale.
- At our discretion, if the software is fully open source and self-hostable without reliance on a cloud service for operation, even if community made alternatives do not exist.
- For this criteria we would use our best judgement to determine how easy it is for someone to self-host. This is because it is unreasonable to expect community implementations to exist for all software, especially as they become more complex.
- For example, if Synapse was the only Matrix server option, I think Matrix would still qualify under this exception because Synapse is (relatively lol) very easy to self-host. On the other hand, some open-source software is virtually impossible to self-host even with the source available due to e.g. lack of documentation, etc.
For service providers:
- If you can migrate to a self-hosted version, which does not rely on a cloud service for operation, with zero loss in functionality.
- For example: Migrating to self-hosted from Element Matrix Services, or hosting your own SMP server with SimpleX.
- The implication here is that merely being able to export your data is not enough, because you should be guaranteed a continuity of service, not just data retention.
- For example, Skiff Mail would not qualify because the service depended on the @skiff.com domain which is a highly-centralized resource.
- On the other hand, something like Bitwarden, which can be migrated to Vaultwarden without loss of functionality (since the API domain is not tied to some network effect), would qualify.
- Or, at our discretion, if you can sufficiently demonstrate long-term success without an obligation to maximize shareholder profit (through e.g. an “exit”). This could be achieved with some combination of the following, for example:
- Operating for >10 years.
- Having a viable business model which allows you to continue operation without seeking additional external investments.
- Having a legal structure which prevents external investors from adjusting the company’s privacy-focused mission.
- For example: Benefit Corporations
- Buying back and eliminating VC investor stakes in your company.
If this proposal goes through, I would also be in favor of replacing “Element” with “Matrix” on our website, but that is a separate discussion we’ll have later.