
Dropbox S-1 - i0exception
https://www.sec.gov/Archives/edgar/data/1467623/000119312518055809/d451946ds1.htm
======
throwaway93192
I'll just point out that the SVP of engineering, a former Microsoft exec,
received $34 million in compensation, since joining less than 6 months ago.

For all employees that are considering joining a startup as rank-and-file
engineers and putting in years of effort, remember that your compensation will
be paltry compared to founders and top execs. When your work finally pays off,
it will mostly pay off for them.

Good for you if you're OK with that extreme imbalance. But, I know too many
people that discovered only upon an exit, that the financial reward was never
destined for them.

~~~
matchagaucho
If there's ever an Equifax scale breach at Dropbox, accountability will fall
on the SVP of Eng.

~~~
rrcaptain
You realize Equifax has had pretty much no consequences for their gross
negligence, right?

~~~
matchagaucho
Execs were forced to resign. Rank and file Engineers were not.

~~~
lotsofpulp
Once you've made $10M+, why would anyone care if they have to resign?
Especially, when odds are they'll have another gig in no time.

------
notfried
Tip: Never pay for Dropbox at $99/year. It's repeatedly discounted throughout
the year at Dell's website for $60, and often also comes with a $25 Dell gift
card. So effectively, its value is $35/year, and you can buy multiple codes,
redeem them, so you'd be effectively paying in advance for as long as you
want, at 1/3rd of the price.

~~~
jedberg
Normally I would jump on this, but I like dropbox, I like the people there,
and I like Drew, so I'm willing to spend an extra $30 a year to increase their
revenue and keep them in business longer.

~~~
tetrazine
Sorry, what???

I mean, you're entitled to do whatever you'd like. But do you see the
potential valuations being tossed around? "Drew" is worth tens to hundreds of
millions.

I just have no idea why someone would find it not only worth it to take money
out of their own pocket to further a corporation that has no need for the
empathy we would normally afford to people (or small businesses, which "round
down" to individual people or small groups), but would actually see value in
sharing this thought process with everyone else. It's not like using a "deal"
is unethical or illegal (like, say, piracy), the company in question (or a
reseller taking the hit) offered it. Is this some kind of silicon valley
flavor of virtue signaling?

If dropbox was a startup with 8 employees, especially one that didn't offer
the near-commodity service (yes, I know UX etc matter here) that dropbox does,
I would understand this. But that's so far from the case

~~~
anonytrary
Predictably irrational people exist! However, how is this different than a $30
donation? I think the real question you want to ask is: Why do people donate
money to people who already have lots of money?

~~~
ironjunkie
As you state, this comment equals to: "I like Drew, so let me make a donation
of 30$ to Dropbox"

That's why I like economics so much. A lot of irrational behavior come simply
from the fact that humans are usually terrible to understand the underlying
economic transactions taking place.

One of my favorite irrational behaviour is the one in which people value
object they got more than the equivalent price in which they could buy//sell
that object.

For example: You have an old bottle of wine in your cellar, and it is now
valued at 500$. A lot of people would simply put, never buy a 500$ bottle.

But if that bottle was your possession, most of the people would keep it and
eventually probably drink it, being completely irrational in regards with the
500$ valuation.

~~~
anonytrary
> One of my favorite irrational behaviour is the one in which people value
> object they got more than the equivalent price in which they could buy//sell
> that object.

Art is also a good example. Art is globally unique, so what does it even mean
for art to be worth $X? Seems like the only "value" of art is the price the
next guy is willing to pay. The price is undefined until it's not.

On the other hand, if I have a _fake_ Van Gogh, I would not be emotional upon
liquidating it because it _is_ fungible; some computer and printer somewhere
can easily reproduce the piece if I ever need it again. In addition, the price
is well-defined because fakes have a well-defined manufacturing cost
associated with them. An authentic Van Gogh has an infinite manufacturing cost
as the guy is dead.

~~~
tetrazine
This is actually a subject dealt with widely in the humanities. _The Work of
Art in the Age of Mechanical Reproduction_ is a good start, for instance. It
does seem odd for art to be valued by the market, but there are clear ways to
construct standard valuation (based on utility, etc) around it.

    
    
      some computer and printer somewhere can easily reproduce the piece if I ever need it again [...] well-defined manufacturing cost
    

This is not as straightforward as some might think! Some people agree with
you. Some don't. "Fake" is a spectrum as well. Is it a reproduction of an
original work, or an original work falsely attributed to a particular artist?
In the second case, if the quality is high and scholarship has emerged around
that work, is it "less valuable" to own after it is revealed as fake (for one
individual, not at market prices) or is it in a sense more interesting? Is it
perpetrated to be real or simply a print? Even if it's an authentic creation
of the artist, was the work been authorized outside of their canon in a less
official way? What about photographs, and later editions of them (by either
the artist themselves, their estate or family, a dealer, etc)? Check out
Richard Prince and his "decertifications" of paintings.

Startups offering blockchain solutions to this landscape, of course, are
emerging. But they face the same problem everyone does in that market: how can
physical assets, and their movements, be indisputably registered to a
blockchain?

~~~
anonytrary
> "Fake" is a spectrum as well.

I suppose this is true, very interesting. A piece (real or not or unknown)
with history, can become (de)valued in its own right.

> how can physical assets, and their movements, be indisputably registered to
> a blockchain

For example, I think VeChain and Modum use physical ID chips, but I don't see
how they solve this problem. It seems like a tall order to create an injection
between physical assets and digital ones. I could see how this would be done
if the physical assets were fungible and centrally sourced, which is only
going to be the case with certain physical assets.

How would people register those assets to the blockchain? No one in the world
should be able to register my laptop, because they don't have it. It would
need to be derived from physical measurements, but this is a can of worms
because the measurements can change; physical matter is not immutable in the
way that digital matter is. Coupling the two seems like a tall order, or maybe
I am small minded.

------
a_taylor
I find the equity split between Drew (25.3%) and Arash (10.3%) especially
interesting given @paulg's 2014 tweet that "Zero of the most successful YC
companies have a significantly disproportionate equity split"
[https://twitter.com/paulg/status/535588566978404352](https://twitter.com/paulg/status/535588566978404352)

~~~
portman
It may have started equal at founding and changed over subsequent rounds. I
know of a case where 4 founders started equal and differed by order of
magnitude by the end.

~~~
Hydraulix989
How did this happen?

~~~
LoungeFlyZ
Many will sell some of their stock during a funding round to the new investor
to take some money out and blow it on lambos.

------
habosa
I believe this is the first ever YC company to go public? If so congrats to YC
as well as the team at Dropbox.

~~~
blocked_again
Curious why going public deserves an applause. Is being private a bad thing?

~~~
pg_bot
When you take investment money, it comes with the expectation that there will
be a liquidity event. (going public, selling to another corporation) Being
private is not a bad thing at all, in fact I would expect most entrepreneurs
would prefer that their companies remain private. However you've accepted a
faustian bargain once you take money from someone else. Going public is seen
as the most desirable liquidity event, since the company still controls its
own agency and you maximize choice if/when you want to sell your stake in
ownership.

~~~
yeukhon
The bot has spoken.

The most important thing out of all, really, is funding through public market.

------
andysinclair
From the S-1, looks like they will be excluded from the S&P500:

In addition, in July 2017, FTSE Russell and Standard & Poor’s announced that
they would cease to allow most newly public companies utilizing dual or multi-
class capital structures to be included in their indices. Affected indices
include the Russell 2000 and the S&P 500, S&P MidCap 400, and S&P SmallCap
600, which together make up the S&P Composite 1500. Under the announced
policies, our multi-class capital structure would make us ineligible for
inclusion in any of these indices, and as a result, mutual funds, exchange-
traded funds, and other investment vehicles that attempt to passively track
these indices will not be investing in our stock. These policies are very new
and it is as of yet unclear what effect, if any, they will have on the
valuations of publicly traded companies excluded from the indices, but it is
possible that they may depress these valuations compared to those of other
similar companies that are included.

~~~
uiri
If this ever becomes a concern, the class B shareholders can convert their
shares 1 to 1 into class A shares. Once all class B shares have been
converted, class C shares will also convert 1 to 1 into class A shares. This
would then make the company eligible to be included in the S&P 500.

I imagine that the class B shares are nontransferable, which means that this
will cease to be an issue once the founders have fully cashed out.

------
lylo
I’m a fan of Dropbox, it’s an excellent product. It’s the only file sync
product I’ve used in anger that I actually trust — I’ve had glitches of one
sort or another with iCloud, Google Drive, OneDrive... never with Dropbox. It
just works. Apple should have bought them, Jobs got it wrong ;-)

Dropbox Paper is also a delight to use, from a personal perspective. I’ve
never used it on a team. I would be interested to hear whether teams of 50+
have successfully used it — it just doesn’t feel ready for the enterprise in
the way that Google Drive does/is.

I’ve not read this S-1 (perhaps it clarifies this) but Dropbox seems a little
confused about positioning B2C vs B2B. Does it have a packaging problem? Can
it have it both ways? It feels like it’s trying to, but when I was a paying
Pro user, I couldn’t get away from the upsell on the site for me to move to
the business package. Annoying.

Good luck to them though — they have killer design, a killer viral product and
a loyal user base.

~~~
brisance
Apple did not get it wrong. Steve Jobs offered to buy (for a putative $800M)
but Drew Houston said it was not for sale. Thereafter, Steve was reportedly to
have said that Apple would crush them since Dropbox is a feature and not a
product.

~~~
lylo
I stand corrected! I thought he didn’t want to buy them for that reason,
didn’t realise he had made an offer.

------
wonder_bread
Seems like the move away from AWS to it's own infrastrucutre is starting to
pay dividends. 33% GM to 67% in two years is certainly impressive!

~~~
wmeredith
Friendly heads up: "its" is possessive (like his or hers) whereas "it's" is a
contraction of "it" and "is".

~~~
FreakyT
I really want to file this as a bug report in the English language.

    
    
       ENG-21238: Contraction for "it is" easily confused with possessive form of "it"

------
abuckenheimer
I'm not surprised to see net neutrality mentioned as a risk factor.

 _Our platform depends on the quality of our users’ access to the internet.
Certain features of our platform require significant bandwidth and fidelity to
work effectively. Internet access is frequently provided by companies that
have significant market power that could take actions that degrade, disrupt or
increase the cost of user access to our platform, which would negatively
impact our business._

I wonder if you could make an argument that public SAAS companies have a
fiduciary duty to their shareholders to support net neutrality policy.

~~~
twinkletwinkle
They could also call out the flip side though, right? Dropbox could negotiate
deals with the ISPs to "box out" smaller competitors. Maybe it costs them
upfront but it also solidifies them in the market.

~~~
raverbashing
> Dropbox could negotiate deals with the ISPs to "box out" smaller
> competitors. Maybe it costs them upfront but it also solidifies them in the
> market.

Yes, if you're a short sighted MBA that wants to encourage your own extortion

~~~
mjburgess
Well, either way, their competitors are icloud/onedrive/googledrive...
box'ing-out isnt going to be a successful strategy.

------
jest3r1
The risk factors fail to mention their inability to offer any kind of end-to-
end encryption. Or that E2E encryption is the differentiator that most of
their competitors offer.

Dropbox (employees and trusted third parties) will always have access to your
files.

Before you downvote.

This is not necessarily a bad thing. They can deliver more features and better
performance as a result. Reliability is key, and it's certainly easier to
understand what users need, and to develop, implement and debug new features,
when you've got access to the files users are storing.

But eventually, end-to-end encryption will take hold. It took decades for
HTTPS to become the defacto standard, but it did. Email is moving that
direction (Proton Mail, Tutanota). Text messaging is moving that direction
(Signal, WhatsApp?). And there's a number of Dropbox competitors that are
growing fast because of better privacy and E2E encryption (SpiderOak,
Tresorit, Sync.com, pCloud). NextCloud (open source self-hosted Dropbox
alternative) also just launched end-to-end encryption.

These companies have been slowly solving the problems that Drew claimed were
impossible when Edward Snowden dropped the bomb. Meanwhile Dropbox has been
pouring dollars into marketing and a Microsoft Office / OneNote / Google Docs
competitor (Paper).

Drew's response to end-to-end encryption:
[https://techcrunch.com/2014/11/04/dropboxs-drew-houston-
resp...](https://techcrunch.com/2014/11/04/dropboxs-drew-houston-responds-to-
snowdens-privacy-criticism-its-a-trade-off/)

Dropbox risk factors (many unsolvable):
[https://www.sec.gov/Archives/edgar/data/1467623/000119312518...](https://www.sec.gov/Archives/edgar/data/1467623/000119312518055809/d451946ds1.htm#toc451946_2)

I use Dropbox and feel the product is still the leader in terms of features,
but I see the competition catching up, with better privacy (end-to-end
encryption) built in.

~~~
bad_user
> _Email is moving that direction (Proton Mail, Tutanota)_

No it doesn't.

I've never heard of Tutanota, but Proton Mail is hardly evidence of anything.
In fact the attack vector for email is very different when compared with other
channels, as for email I'm not afraid of my email provider as I'm afraid of
hacking attempts. Yes, I value security over privacy for email. Therefore I
would trust Gmail more than I would trust Proton Mail.

Proton Email is also non-standard and is obviously not E2E encrypted when it
comes to communicating with non-Proton recipients. If I actually wanted
encrypted email, I would use GPG. It sucks from a usability point of view, but
it's standard and for email that matters.

> _I use Dropbox and it 's still the leader in terms of features, but I see
> the competition catching up, with better privacy (end-to-end encryption)
> built in._

Curious, which competition?

I tried everything that I could find, because Dropbox has a high price and
their online search didn't work well even after I upgraded to Pro.

Btw, it might actually be better to do an encrypted drive with
[https://cryptomator.org](https://cryptomator.org) on top of Dropbox or Google
Drive. It's definitely more reliable ;-)

Or in other words, if the service provider does not get access to your files
due to encryption, then there isn't much value they can add. You can't have a
secure web interface for encrypted files, you can't have online search. So
might as well do application-level encryption and all you need is cheap and
reliable storage.

~~~
jest3r1
_> Curious, which competition?_

I clearly outlined many competitors similar to Dbox that offer end-to-end
encryption: (SpiderOak, Tresorit, Sync.com, pCloud). NextCloud (open source
self-hosted Dropbox alternative) also just launched end-to-end encryption.

 _> Therefore I would trust Gmail more than I would trust Proton Mail._

Google: don't expect privacy when sending to Gmail:
[https://www.theguardian.com/technology/2013/aug/14/google-
gm...](https://www.theguardian.com/technology/2013/aug/14/google-gmail-users-
privacy-email-lawsuit)

Google terms of service: Our automated systems analyze your content (including
emails) to provide you personally relevant product features, such as
customized search results, tailored advertising, and spam and malware
detection. This analysis occurs as the content is sent, received, and when it
is stored.
[https://www.google.com/policies/terms/](https://www.google.com/policies/terms/)

~~~
bad_user
SpiderOak has a high price, has been very slow in my tests and their client
doesn't work well. There have been reports of throttling on large uploads.
Plus they've been stagnating. All of this is a symptom of them not being
popular enough I'm sure, but that's not a good sign.

pCloud doesn't do 2-factor authentication yet, which is freaking important for
your non-encrypted files at least. I asked them about it because I could not
believe it and they said it's "on their roadmap". But ALAS my trust in them
dropped to zero. The chances of implementing reliable encryption while not
getting basic security straight are next to none.

Plus you cannot trust encryption that is not peer reviewed ;-)

I haven't tried NextCloud, but ownCloud is shit. It's really slow, could not
handle the several hundreds of GBs I have stored and there have been
situations of users losing their data. Plus I'm not inclined to host my own
stuff, because that would get very expensive.

Actually you haven't mentioned the only real alternatives ...

(1) Resilio Sync ([https://resilio.com](https://resilio.com)) which I use, in
combination with a cheap VPS with 2 TB of storage on it (time4vps.eu in case
you're wondering, not affiliated)

(2) Syncthing ([https://syncthing.net](https://syncthing.net)), the open
source alternative, which is OK, but hard to configure and Resilio does stuff
out of the box, like encrypted folders

And I'm using Resilio Sync in addition to Dropbox. Well, I've actually
migrated to Google Drive (on GSuite) this month, due to Dropbox Support
pissing me off, but that's another story.

But the interesting part, which should be clear after a single day of usage,
is that all Dropbox alternatives, except for Resilio and Syncthing, fail at
the most basic task that users want, which is to reliably synchronize your
files. Even the big guys, like GDrive or OneDrive, have an incredibly broken
sync by comparison.

Just the other day I noticed for example how Google Drive can start deleting
files from your local hard drive, only God knows why, in order to re-download
them. And before that I dropped OneDrive because their client was freezing on
my Mac, not to mention a couple of months back they weren't doing the one
month file versioning thing, which is retarded in the age of ransomware.

~~~
jest3r1
So, between the two of us, we've now come up with a number of competitors
working on similar products that include E2E encryption. We both agree that
these competitors still have work to do, in terms of implementing features and
fine tuning performance. But they're not standing still.

The fact that both of us are actively using at least one alternative, in
addition to Dropbox, proves my point. That E2E encryption (alternatives that
offer better privacy) could be a threat to Dropbox, if and when the
alternatives become a viable total replacement.

------
a_d
Is this the first company to go public that (almost) started/took-off as a
"Show HN"? In a way, this is a big moment for YC, PG and this community. Is
there a list of "Show HNs" that have become "big"? It would be very
interesting to see.

------
varenc
Interesting. Glad to see that a security breach is called out as one of the
major risk factors on an sec filing.

    
    
      Our business could be damaged, and we could be subject to liability 
      if there is any unauthorized access to our data or our users’ content,
      including through privacy and data security breaches.

~~~
eganist
Considering their service is the safekeeping of others' data, I'd probably
s/interesting/obvious.

Not putting your comment down, mind you. Most would probably find an infosec
inclusion as a major risk factor "interesting" in that it just doesn't feel
like infosec gets that kind of respect in the C-suite, but I'd like to think
it's different in this case considering the offering.

------
kccqzy
Congrats to everyone at Dropbox! It has come far:
[https://news.ycombinator.com/item?id=8863](https://news.ycombinator.com/item?id=8863)

~~~
wglb
I was hoping someone would find that. It is interesting how many negative and
middlebrow comments were on that submission. As there are this one as well.

~~~
mrhappyunhappy
HN is generally very bitter. People here are quick to find faults.

------
faramarz
Does this suggest they are in the 60-day roadshow quiet period before to the
listing?

It's a good value buy for me. Dropbox and Spotify whenever they go public.
These two apps I've been a paying member since I discovered them.

~~~
skellera
I’ve considered buying Spotify but I am unsure of future growth or long term
profits. What do you see?

~~~
mcintyre1994
It'd be interesting to see if they had a similar moment of growth evaporating
when Apple Music entered like Snapchat did when Facebook finally got a clone
to stick.

------
skaushik92

        Given the volume of our users, we do not track the retention rates of our individual users.
        As a result, we may be unable to address any retention issues with specific users in a timely manner,
        which could harm our business.
    

Isn't this measurement critical to understanding if the business decisions are
in line with customer expectations and use-cases? I find it odd that such a
key metric is not tracked, and having _more_ users should mean that it's an
even more reliable metric to gauge features and releases.

------
meritt
Rough numbers here because BOX hasn't reported full 2017 yet but:

    
    
        Dropbox 2017: $1107M Revenue
        Dropbox 2017 Paying Users: 11M
        ARPU: $100 [1]
    
        Box.com (Q4-16 to Q3-17): $479M Revenue
        Box.com (Q3-17) Paying Users: 9.7M - 10.2M [2]
        ARPU: $47 - $49 [3]
    
        [1] $1107/11
        [2] "over 17% of our registered users [57M] were paying users"
        [3] 479/10.2 to 479/9.7

~~~
swampthinker
Wow, I assumed that Box would've had a higher ARPU given it's focus on
enterprise.

~~~
meritt
Me too. I'm trying to find better ARPU metrics to ensure I'm not
misunderstanding that vague "over 17%" statement. As a company they tend to
report "Number of Paying Customers" which are businesses and only occasionally
reference individual user accounts.

Though simply looking at per user per month pricing:

    
    
        Dropbox for Business has $15, $25, and Enterprise
        Dropbox Individual has Free, $10, and $20
        Box.com has $5, $15, $25, and Enterprise
    

The math doesn't even really make sense though. Dropbox's ARPU is $8/user/mo
whereas Box is $4/user/mo. Either the my math is wrong or Box offers some
pretty steep Enterprise discounts that work out to <$5/user/mo.

~~~
swampthinker
I wouldn't be surprised if the enterprise discount is in fact <$5/u/mo. Seems
like a simple conversation, "Why am I paying more per person even though I'm a
large client?"

Digging deeper into Dropbox's finances is astounding too. They've added about
$150m in additional revenue each year, while cutting their net losses by $100m
each year.

------
laktek
It's interesting that they use Paying Users & Average Revenue per paying user
as their key business metrics. I find it simpler and closer to the reality
than the MAU & ARR most other SaaS rely on these days.

------
ejcx
Must be nice to be Quintin Clark. Showed up in Sept of 2017 and was awarded
$34MM worth of stock according to this S-1.

It looks like a healthy business. Congrats to dropbox.

------
joelrunyon
Amazed there's still no good permission settings on nested folders in dropbox.

Ran into this on a 4-5 year old project with multiple contributors and even on
their paid versions, there's no good way to consolidate folders that have
multiple "owners."

Seems like there has to be a better way to handle this - Google Drive takes
care of it much better.

~~~
nilsbunger
Dropbox Business supports nested shared folders now. Source: I evangelized it
and worked on it.

~~~
joelrunyon
But from different sources, etc?

I have a whole bunch of folders over the past 3-4 years that are "owned" by
different people that worked for me. I tried to get them all organized under
one subfolder and it's not allowed.

~~~
nilsbunger
Two options depending on what you’re looking to do:

1\. If you just want to personally organize shared folders you receive, you
can always put them in folders in your account.

2\. If you’re trying to create a nested shared structure, that’s what dropbox
biz does. You make your employees team members. The ownership issue becomes
less tricky since the biz content is all “owned” by the biz.

As a dropbox alum, I’m not up to speed on all the latest nuances. You should
chat with sales to see how it could work for you, or just try a trial.

------
malthaus
I have a lot of respect for Dropbox as they've created an awesome product and
user experience that accelerated its niche.

But as with Twitter i'm sceptical of the long-term prospects (and hence the
need for an IPO vs a trade sale) of single-feature/protocol companies.

Nice liquidity event for current shareholders but why should the public invest
here? The product is becoming more commoditized with time as well as being an
ever more tightly integrated feature with hardware/OS.

Box seems to have a lock on the enterprise market which feels like the better
long-term strategy than being a consumer/startup brand.

The stated growth strategy in the S-1 is rather meh. Post-IPO they might go
further down the Evernote route and expand in all possible areas, diluting the
core product/brand.

~~~
jedberg
> Box seems to have a lock on the enterprise market which feels like the
> better long-term strategy than being a consumer/startup brand.

Yet box only makes about $48 per user per year, whereas Dropbox makes $111 per
year. So either Dropbox has more enterprise than we think, or consumer is a
lot more valuable than we think.

~~~
napoleonIV
I know that Facebook moved to Dropbox from Box for internal use.

~~~
slackoverflower
Let it be known that Mark Zuckerberg and Drew Houston are best friends. I know
it might not be the main reason, but it is something to consider.

------
minimaxir
Do companies typically announce an IPO on a Friday, right before market close?

~~~
ereli1
Looking at data from the last couple of years, it appears that filling on
Friday is pretty common. (see ipomonitor.com for data).

    
    
      pbpaste |sort|uniq -c|sort -k1nr
        614 Friday
        436 Monday
        339 Thursday
        326 Tuesday
        283 Wednesday
          2 Sunday

~~~
jedberg
Those two on Sunday are interesting. I wonder if they are data errors and were
really Monday but in another time zone.

------
dzonga
Every-time, I read a 10-K or S-1 I imagine if humans evaluated their lives as
companies do. Humanity will be better off. Every potential and risk to a good
degree honestly evaluated.

------
rossgarlick
Interesting that there was no mention of IPFS / Filecoin in the Risk Factors,
or any other risk of decentralized storage possibilites.

------
taychen
It's interesting they have invisible small white text under images with
embedded text so that you could do a text search.

------
TroubleTicket
Reality check: Most enterprises aren’t adopting Dropbox… and for good reasons

[https://www.linkedin.com/pulse/reality-check-most-
enterprise...](https://www.linkedin.com/pulse/reality-check-most-enterprises-
arent-adopting-dropbox-greg-knieriemen/)

------
jseip
Amazed by the R&D expense of $380.3M especially because I'm not aware of
substantive innovations that they're bringing to market. How has / will that
investment translate into new technology or a technically superior product?

~~~
alex_young
R&D is probably almost all going to be salaries for engineering talent. It
takes a lot of people to run your own end to end solution for 500m users.
Remember, they are doing everything from software development to running data
centers.

------
foobaw
Any ideas on how I can purchase with the underwriter price?

------
willow9886
nice work, Dropbox.

------
chj
I used to love Dropbox, but nowadays I have little use of it. Sometimes it
just stops syncing and reinstallation won't fix the problem. And forcing API
upgrade caused a lot of headache for me as a developer.

------
Kiro
Where do all the new shares come from in an IPO?

~~~
uiri
Same place that they come from when doing an investment round with VCs - the
corporation issues new shares and dilutes existing shareholders.

------
kjaer
jxub called it on the Dropbox Foundation thread 2 days ago

[https://news.ycombinator.com/item?id=16428729](https://news.ycombinator.com/item?id=16428729)

------
carlsborg
Congrats YC

------
elvirs
only 1 in 50 users is actually paying? thats not good

~~~
martin-adams
Except that 49 out of 50 are quite likely to invite friends into the Dropbox
ecosystem through invites and shares of who can turn into a paying customer.
Sure more paying customers is good, but may be cheaper than paying for
advertising to acquire customers.

------
mankash666
Just curious - how's a raw SEC filing preferable to a reliable article
summarizing it in non-legalese, providing context with the competition, etc.

Other than lawyers and economists, does anyone ACTUALLY prefer this raw
filing?

EDIT: Adding my preferred link: [https://www.cnbc.com/2018/02/23/dropbox-ipo-
form-s-1-prospec...](https://www.cnbc.com/2018/02/23/dropbox-ipo-
form-s-1-prospectus-filing-full-text.html)

~~~
teej
I always find juicy information in the S1 that doesn't get reported on right
away. Off the top of my head:

* Reliance and risks of Zynga in the Facebook S-1

* Customer acquisition costs in the Blue Apron S-1

* Growth specifics and positioning of algorithms in the StitchFix S-1

* Infrastructure costs in the Snapchat S-1

Besides, an S-1 filing is not written in legalease, it's written in plain
language. One of the target audiences is street investors so it's meant to be
accessible. I'm looking forward to digging into this one.

~~~
godzillabrennus
This is my biggest concern with the Dropbox platform summed up in the filing:

* Our business could be damaged, and we could be subject to liability if there is any unauthorized access to our data or our users’ content, including through privacy and data security breaches.

They have made progress. They managed to get SoC II compliance for all of
their offerings. They now offer HIPAA compliant hosting as well.

Not that long ago though (circa 2013) I remember a series of articles that
made it clear that DropBox employees had access to customer data.

That spooked me enough to recommend folks pair it with
[https://www.sookasa.com/](https://www.sookasa.com/) if they were going to use
it.

~~~
gwbas1c
Early at my days at Syncplicity, (a Dropbox competitor,) I specked out what
was needed for true client-side encryption with no ability to decrypt on the
server. It's very easy to do, from a technical standpoint.

(We solve the problem by letting our large customers run their own servers,
with their own authentication via single sign on.)

The problem is that the user experience for client-side encryption is awful!
Every shared folder will need its own key, and users would need to manage and
share their keys outside of our system. That is not sustainable.

But then the major feature set breaks down. Want to access your files in a
browser? Not with client-side encryption. Want to email someone a hyperlink to
a file? Not with client side encryption.

The major lesson is that the world operates on trust. We can only stay in
business if our customers trust us.

~~~
diggs
There's also no deduplication with client-side encryption.

~~~
irq
Doesn’t homomorphic encryption allow for this?

[http://ieeexplore.ieee.org/document/7255226/](http://ieeexplore.ieee.org/document/7255226/)

~~~
candiodari
No. It doesn't.

~~~
irq
Can you explain?

~~~
candiodari
The whole point of encryption is that you cannot meaningfully compare 2 pieces
of plaintext.

Homomorphic encryption doesn't change that.

The only way to compare plaintext is to decrypt the whole thing. So either you
must trust a centralized org (like dropbox today), or you must trust a single
centralized key (that could be done with homomorphic encryption).

(Also the best homomorphic algorithms still make small programs take days to
execute)

~~~
XMPPwocky
Consider a scheme in which:

Each user generates a symmetric "user key", kU.

The plaintext of each file (or without loss of generality, block of data,
etc.), pFile, is encrypted with a randomly generated symmetric key, kFile,
producing the ciphertext cFile. pFile is also hashed with a cryptographically
strong hash, producing hpFile. kFile is then encrypted with hFile, producing
ckFile. The user encrypts pFile with kU, producing chpFile. Finally, the user
takes the first N bits of hpFile (for N on the order of, say, 16 or 32),
producing hpFileTrunc. The user then submits hpFileTrunc to the server.

The server is, semantically, just a list of 3-tuples: (cFile, ckFile,
hpFileTrunc).

The server sees if it knows of the existence of records with the same
hpFileTrunc value as the client's submission. If so, it returns them to the
client.

The client then tries, for each record returned by the server, decrypting
ckFile2 with the client's hFile value, potentially producing kFile. If this is
successful, the client then decrypts cFile with kFile, producing pFile.
Finally, it compares this pFile to the original. If it matches, a match has
been found, and the client exits the loop. If not, (or if either of the two
decryption steps failed), it continues to the next record the server returned.
If there are no more records, the client instead submits the tuple (cFile,
ckFile, hpFileTrunc) to the server, which stores it.

Finally (whether or not a match was found), the client stores chpFile locally,
to be used when retrieving the file.

To retrieve the file, the user decrypts chpFile with kU, producing hpFile.
They truncate hpFile, producing hpFileTrunc, and submit it to the server. They
perform the same process described earlier to retrieve the matching pFile.

(Note: truncation may also be replaced by, or combined with, a second round of
hashing.)

With this scheme, assuming secure primitives (authenticated encryption and
hashing), I don't believe it's possible to learn any information about a file
unless you already have its contents.

So the server can tell if you're accessing (storing or retrieving) a
particular file if and only if the server knows what it's looking for.

TL;DR: you can totally construct a scheme that allows meaningful comparison of
plaintexts!

But... this is probably a bad thing. Comparison of plaintexts is a
vulnerability: the server being able to see who's storing a particular "bad"
file has a real impact on privacy. And likely more subtle impacts, too...

~~~
candiodari
The whole point is to allow for comparison of large plaintext files that are
stored by many users. Think of mp3s, or large avi files, or, say, a linux
kernel image, or ...

> The server sees if it knows of the existence of records with the same
> hpFileTrunc value as the client's submission. If so, it returns them to the
> client.

And by doing this, provides a way for clients to verify if any user on the
file storage server has this file. So if I wanted to know if your mozilla
thunderbird has a mail I have the source to, I simply try to store this and
get these duplicate records.

Most people would consider this extremely unacceptable.

> The client then tries, for each record returned by the server, decrypting
> ckFile2 with the client's hFile value, potentially producing kFile. If this
> is successful, the client then decrypts cFile with kFile, producing pFile.
> Finally, it compares this pFile to the original. If it matches, a match has
> been found, and the client exits the loop. If not, (or if either of the two
> decryption steps failed), it continues to the next record the server
> returned. If there are no more records, the client instead submits the tuple
> (cFile, ckFile, hpFileTrunc) to the server, which stores it.

Why would the client have the keys to files stored by other users ?

Unless you mean that you can only deduplicate within a single client, in which
case that's of much more limited use (and I might add, your encryption scheme
is way more complex than it needs to be).

~~~
XMPPwocky
> And by doing this, provides a way for clients to verify if any user on the
> file storage server has this file. So if I wanted to know if your mozilla
> thunderbird has a mail I have the source to, I simply try to store this and
> get these duplicate records.

Yes. This is the reason you _don 't_ want this property (being able to
deduplicate encrypted files)!

But you _can_ provide it, while still providing meaningful security against
other attacks.

The client has the keys to files stored by other users because _the keys are
the hashes of the plaintext, and the client can hash its own plaintext when it
has the file._

(Note a trivial modification to this scheme, solely client-side, allows for
certain files to be totally secure, with the cost of them being exempt from
deduplication)

~~~
candiodari
> The client has the keys to files stored by other users because the keys are
> the hashes of the plaintext

Personally I find only people explicitly authorized have the key to be the
whole point of security. And you're suggesting this as a solution to the
problem that organizations providing file storage could see what files you're
storing.

Under this scheme, it wouldn't just be that organization, but everybody who is
a client, that could see what files you're storing (or at least verify if
you're storing a particular file or not)

So I find your assessment:

> But you can provide it, while still providing meaningful security against
> other attacks.

Very dubious indeed, especially given the context of securing centralized file
storage, where the whole point would be to deny others access.

I mean it's a true statement, because you don't specify what "other attacks"
are.

I posit that given that this system leaks the plaintext of your files I find
it strictly worse than just giving Dropbox or Microsoft access to my files.

~~~
XMPPwocky
> Under this scheme, it wouldn't just be that organization, but everybody who
> is a client, that could see what files you're storing (or at least verify if
> you're storing a particular file or not)

You can do this today, with Dropbox or whatever else- anything that does
deduplication, _if_ it saves bandwidth by not asking for files it already has.

You can't tell _who_ is storing a particular file- only if _anybody_ is. Does
this leak information and impact privacy? Yes! But it still provides other
useful properties.

If you have a copy of a file, you can see if _anybody else does_ \- a boolean
value. (And if the server is malicious, it can tell who does (if it logs).) If
you don't have a copy of a file, you can learn absolutely nothing about it.

So, for example, if a user uploads a, uh, personal image to the service- with
Dropbox, _in theory_ (they likely have strong organizational and technical
controls against this sort of thing, mind you) if the server is malicious they
can view that image.

With this scheme, the server can't.

On the other hand, if you, say, save a file containing only your social
security number- or a similar low-entropy value- the server can crack the hash
and decrypt that file. That's the price you pay for being able to deduplicate.

(Perhaps one could only deduplicate large files- thus handling the case of
movies, music, Ubuntu ISOs, large system files, etc. To implement selective
deduplication- if you want a file to not be deduped, replace all uses of its
hash with, instead, a unique random value to identify the file. Server
requires no modification.)

------
mankash666
Commentary on valuation:

1\. Box, a public company, is currently valued at $3.17B. It had revenues of
~$480M with a net loss of $150M in 2017 [1]

2\. In contrast, Dropbox had revenues of $1.11B with a net loss of $111M in
2017.

The higher revenues, and lower losses bode well for Dropbox. Objectively, that
would value Dropbox in the $8B-$9B range, $1B-$2B short of it's previous $10B
private valuation

[1]: [https://goo.gl/Agf5Xt](https://goo.gl/Agf5Xt)

~~~
zawerf
Does this mean that investors in their $10B round lost money? Is this common?

~~~
phamilton
Rumor was they had a weird liquidation preferences in that round, which made
it more like debt. Something like a 2x floor and 3x cap. Not sure how that
resolves in an IPO though.

------
uptown
"My YC app: Dropbox - Throw away your USB"

Apr 4, 2007

[https://news.ycombinator.com/item?id=8863](https://news.ycombinator.com/item?id=8863)

~~~
MrMember
There's always that one guy asking why a product exists when it's "trivial" to
spin up and manage yourself.

~~~
FreakyT
That comment is my personal favorite HN naysayer comment of all time:

 _> you can already build such a system yourself quite trivially by getting an
FTP account, mounting it locally with curlftpfs, and then using SVN or CVS on
the mounted filesystem_

Yes, absolutely _trivial_. Even a _child_ could do it. /s

------
JepZ
Its been a while but those who don't know: Some years ago Dropbox kinda
started here on HN

[https://news.ycombinator.com/item?id=8863](https://news.ycombinator.com/item?id=8863)

------
tardo99
Congratulations to them.

I don't really understand why anyone would use dropbox given the multitude of
different offerings out there. I'm curious if anyone who uses them can give me
a take on why I should use them. I currently use Google Drive + Google Docs
and am very satisfied. I pay for 1 TB of storage for personal work / storage.

~~~
news_to_me
I know this isn't a very good answer for most people, but for me at least, I
trust Dropbox way more than Google. I really dislike the direction and
influence Google has on the Web right now, and I'm more or less ideologically
opposed to them as a company (and in general, any giant monopolistic company).

I hate the fact that I have to "vote with my dollar," but in the end I just
feel better giving my money to an "independent" company like Dropbox or
Snapchat than to Google or Facebook.

~~~
braderhart
I don't. Google provides way more for a lot less money. You can encrypt your
own content on either providers. For GSuite you get literally almost every
service you can imagine, include a phone number that you can make unlimited
calls to/from landlines with using your computer.

~~~
news_to_me
It's not just about cost-effectiveness, it's about which company is making the
Web a better place — and I see a lot of Google's activities actively moving in
the wrong direction.

For me, it's more about the companies than the product (which, like I said, is
probably an unsatisfactory criteria for most people).

Glad you're enjoying Google's services though :)

~~~
braderhart
In a lot of ways making the world a better place is about cost-effectiveness,
and honestly what is Dropbox doing? Are they the main contributor to
Nextcloud? Yeah, Google isn't much better in that regard, but I can buy a
descent $199 unlocked Android phone now at Costco, and have all of Google
services integrated. They also provide a lot of descent open source tools.
Have you tried Kubernetes? :)

~~~
news_to_me
> In a lot of ways making the world a better place is about cost-effectiveness

I think we just have different worldviews. Certainly economics are important,
but I try not to boil everything down to dollars and cents.

And for sure, Google has done a ton of useful and interesting things that I'm
grateful for. But they also contribute to undermining online privacy, and use
their size to wield disproportionate power in politics, etc. etc.

~~~
braderhart
The CEO of Dropbox is listed as a founder of FWD.us:

[https://en.wikipedia.org/wiki/FWD.us#Keystone_XL_oil_pipelin...](https://en.wikipedia.org/wiki/FWD.us#Keystone_XL_oil_pipeline_support)

I agree that Google contributes to undermining online privacy, but I still
don't see Dropbox doing more in that regard. I'm sorry, but I really am not a
fan of Dropbox after my experience with them, so I am inclined to be a vocal
critic of their service (or lack thereof).

------
alexnewman
How big?

------
throwaway0255
.

~~~
Jtsummers
They're saying they have essentially one revenue source. A lack of diversity
in income sources is the risk factor. Compare to Microsoft: Various consumer
software options, OEM OS licenses, government contracts, support contracts,
physical hardware (Xbox), licensing for game publishers, Azure, etc.

Dropbox has one revenue source, and it's primarily fed by consumers (11
million at that, per this filing). A loss of 1 million users is a loss of 100
million in revenue for them, but doesn't correspond to a drastic reduction in
their costs (due to the number of non-paying users).

------
Krypt1k
Definitely gonna dig into this one.

------
megadeth
Will make a few billionaires.

~~~
kolbe
Really? How many people own more than 10% of the company?

------
speedie
Mega.nz

~~~
braderhart
Descent client yes, but honestly pretty terrible once you compare features.
Versioning counts against storage, speed can be slow, questionable company...

------
_RPM
The executive team each has a base salary of 400,000. That's a lot of money,
with a 65% target bonus. That is so much money.

~~~
ttul
LoL. Many engineers at Google make more than that with their RSUs.

------
runewell
I like Dropbox but as a potential investor I would be a bit nervous about the
online storage industry as a whole considering crypto-backed decentralized
storage seems only 12-24 months away.

------
JohnJamesRambo
I think Dropbox is a dying company, I don't know anyone that uses it in my
circles except old people now, very similar to Facebook.

