Hacker News new | comments | show | ask | jobs | submit login
Airbnb Competitor Checks IDs: 'We Don't Want to Trade Security for Volume' (betabeat.com)
265 points by citadrianne on July 29, 2011 | hide | past | web | favorite | 96 comments

Is anyone else finding it interesting to see how a bootstrapped startup is implementing tighter security standards and accepts slower growth as a consequence while the startup du hour, fueled by massive amounts of other people's money, is pursuing growth at all cost and with little regard for the consumer? Reminds me a little of the YouTube founders who wanted to grow and be acquired as fast as possible and willingly accepted pirated content.

I think this has nothing to do with Roomorama taking advantage of the situation for their own profit. If anything, these guys have every right to be pissed off that a careless competitor is tarnishing the whole industry.

I wish I could upvote that comment multiple times.

That's true in general. Bootstrapped startups, as a whole, are generally built to be long-standing real businesses, and they treat the business as such. You don't sink tons of your own money into an effort if you dont truly believe in the profitability of the business (profitability of the business, not potential valuation or perceived growth). Neither myself nor any of my friends who are bootstrapping their own firms pursue growth in favor of customer support, security or aggressive valuation.

They have every right to promote their differentiation. Speaking as someone who lives in a great part of Manhattan and is often out of town, I've never used AirBnb because I don't trust their verification. I will definitely look for a competitor that does more thorough screening, even if the volume and rental price is lower. It's worth it to me.

There's a fine line, though. If the cost goes too high, why not just stay in a hotel? They have a specific budgetary window to aim for.

Any of Airbnb's competitors are going to use this to their advantage. Rightfully so too... I didn't even know about Roomorama until this story.

The biggest part of the story though was thrown in at the end:

The harrowing story of the Airbnb user EJ prompted Ms. En Teo to reach out to her competitors in order to set a precedent for sharing information about sketchy users, so if she gets a report about misbehavior she can send an alert to get him or her banned from other sites. Incidents like this hurt the entire market as well as individual users, she said.

Some kind of data sharing would be a great thing for this industry as they are all vulnerable to the same problems (theft, etc...).

Careful with that type of data sharing. It can fail the game theory test. Lets say I'm a selfishly amoral actor in the room rental industry, and I want to lock up the market for myself. I can silence all my competition by releasing blacklist information on a number of current users, then those users will be banned by other sites and forced to continue using my site.

Banks do this today with their info sharing through ChexSystems. I've seen banks that will report their current account holders for the most trivial violations. The result being that the account holder can't open an account anywhere else.

ChexSystems is pure evil.

They have to be careful, though, as this kind of thing can be considered libel or slander if not 100% true, and collusion even if it is true. Having an industry-wide blacklist will almost definitely run afoul of the law.

Bars do this all the time in areas where there are problems - they scan your ID and then share the information with other bars, particularly if you get booted.

In the United States, if you make a good faith claim about someone, it's pretty hard to win a libel suit, and, I suspect, it would be even harder to claim that grading an individual rises to the level of slander/libel, particularly if you provide a mechanism to challenge the claims.

If this were not the cases, then credit rating agencies would have a difficult time existing.

While your general point still stands, I don't think the existence of credit rating agencies proves much. Even if they would otherwise have been liable, there fundamental utility would, I'm sure, have led to specific legal exemptions.

As it stands, the operation of such agencies is subject to a lot of specific regulation. http://en.wikipedia.org/wiki/Credit_bureau#United_States

Even better example; Casino's - I know people barred in pretty much every UK Casino, because they share the info.

the sites just have to remember to put that sign "we reserve the right to refuse service to anyone" and they are covered.

Put up that sign and then refuse service to blacks, and you're not fine.

Put up that sign, implement the described policy, receive disproportionate numbers of complaints about blacks (because landlords are racist?), enforce the described policy equally irrespective of race, and you are walking a fine line. You could be sued for that and might not be fine.

the point of the comment i was first replying to was that 'it always worked for brick and mortar shops'

here in LA it's impossible to walk into a bar or restaurant and not see that sign.

but yes, i see your point too.

Internet attorneys seem to love turning libel laws into this blanket prohibition on ever saying anything negative about someone or something that is not "100% true" and verifiable.

This doesn't even touch libel laws, and it certainly wouldn't be a _group_ culpability if there's one purveyor out there intentionally spreading malicious lies about some private person.

Landlords do this routinely. The last time I signed a new housing lease, part of the lease agreement was an agreement to allow the state association of landlords to share data about my history as a renter. Since I have a clean history, no problem. If I'm ever in a position to rent out housing units, I sure don't want to rent them out to people who have a KNOWN propensity to trash them. Nor do I want to rent to a renter with an established history of stiffing landlords on rent payments.

Hmm, that must be a thing that varies by state -- I've never heard of such a provision in KY.

I think as long as they follow something similar to the guidelines in [1] they will be fine -- having good reputation information is too valuable to make illegal.

[1] http://en.wikipedia.org/wiki/Fair_Credit_Reporting_Act

This happens all the time in the Vegas casino industry. Heck, I think all casinos share a "perp" database with photos and everything. Illegal? Definitely not.

Doesn't this run counter to the referenced theory? A selfishly amoral casino would want card counters to bankrupt their competition, no?

Greedy, not just selfish. And it would harm them as well, since everyone would do it.

No, they profit much better by making sure Vegas is a thriving place with many casinos. If they DID manage to drive out all the other casinos, nobody would go to Vegas because it only had 1 casino!

Instead, it's much better to work together and share knowledge of the people who would rip them off.

And Data Protection laws

I call this the "problem of trust" and it is something I'm trying to solve. In order to be able to send out alerts, we need some sort of decentralized broadcast system. I am developing a P2P broadcast system called Proofnet which is based on proof-of-work to prioritize messages and minimize spam. I have describe it on the Bitcoin Forum here:


One of the applications of Proofnet is a decentralized web-of-trust where you can send out a scammer alert by giving someone a trust rating of 0 and broadcast that message with very high proof-of-work. See some more info on those efforts here:


It's a good idea, yes.

But in this case, and probably any that follow it, it's extremely unlikely they used/will use their own details or credit cards.

Am I the only one who doesn't think this is that big of a deal for AirBnB?

Honest question: how is Airbnb or any of their competitors different than vacation rentals?

You rent a house for a week when the owners aren't using it. Often the key's in a combo box or they mail it to you. The only real protection is a security deposit which you pay upfront. The concept has been around for ages.

Vacation rentals (through Homeaway et al.) are typically set up just for that reason, and thus have combo boxes, carry some insurance, involve a cleaning fee.

AirBnb democratized the process by allowing anyone to rent out any portion of their property, contributing to supply and more competitive pricing, but with this set up you get into weird situations where owner's valuables and jewelry end up in the next room.

an investment property is and should be treated differently than your own living property. I think this is the main point of confusion for most people. Most of these other services that do vacation rentals are usually renting out investment properties or timeshares. Its a huge difference.

Even with this event, I don't think the mixing of these two things is going to stop.

The present "wave of disruption" sweeping the world is based on finding ways to use resources more efficiently by changing social divisions. Even if Airbnb in particular now crashes and burns, there's so much potential savings in the airbnb model that people will continue to sweep away the earlier divisions in some fashion.

The business isn't different, however if you have a vacation rental, as the owner, you don't "live" there so you don't have your valuables, the couch you inherited from a favorite aunt, the nice new tv etc etc.

Airbnb and others have you sharing your primary residence, which puts it at risk if you are not also there. (and perhaps even if you are).

In a vacation rental house, other people will spend far more time in your place then you will and you plan accordingly. You might have a locked closet with your own stuff, but it probably consists of towels, toiletries and clothes - not electronics, birth certificates, financial documents, and highly-personal information.

They aren't, it's just a "smaller" scale using the internet.

The business idea is proven, AirBnB is just leveraging technology to stake out a significant market share.

Nothing wrong with this at all.

No, it's quite different. Vacation properties are set up for that purpose, with insurance, limited on-site personal property, etc.

There have been online vacation property rental sites for years.

AirBNB, however, sells itself as a mechanism for making some extra cash on your own actual day-to-day residence.

It doesn't really matter whether the property you are letting is your primary residence or not, really. What matters is that you aren't using it.

AirBnB caters to shorter, less formal stays than a normal rental site. It also presents a much improved User experience. It also implies that you can get in on this game if you don't actually own the property, but whether or not you can legally do this is up to you to know, not AirBnb.

It doesn't really matter whether the property you are letting is your primary residence or not, really.

It matters in terms of security. If you're using the property, that either means that you have a considerable amount of personal information and valuables on-site, or that you'll have to take them off-site to secure them.

If the property is a dedicated vacation home, then this will generally not be the case, and coupled with deposits, property insurance, etc, the risk to the owner is significantly reduced.

Good luck getting property insurance on an apartment you sublet.

You don't keep your birth certificate and grandmas jewelry at your vacation house.

You're an idiot if you keep these things in your house and then invite strangers to stay there.

That has nothing to do with AirBnB, or anything particular about their business model.

Expect to see a lot more of this. AirBnb are vulnerable right now, and in a very competitive marketplace. They really need to step up their efforts to contain the issue, or competitors are going to walk all over them.

I for one expect AirBnB to come out winners after the dust settles. I don't see their competitors' names on the cover of FT, and the way human memory works, people will soon forget the negative reason why they originally heard of AirBnB.

This of course supposes that the AirBnB guys handle the rest of this right.

Even if they don't, they'll come out stronger.

That is easily the silliest thing I've heard about this so far, and this is after reading AirBnB's PR statement.

If they fuck this up, they won't "come out stronger", they'll come out with a sufficiently heavy PR backlash that people won't use them anymore. And that'll be that. As it stands now, the only thing people are hearing are negative things about AirBnB, and unless they take huge steps to fix that, there's going to be a lot of people who won't touch them with a 10 foot pole.

I think we're over-estimating how big and widespread this story is, because it's all over the HN front page. Sure, plenty of people are going to hear about it and it's gonna be damaging for airbnb. But a whole lot of people aren't going to hear about it because they don't read HN or the Financial Times.

It's bad for airbnb, but shouldn't be a killer. From my point of view, my only surprise is that it didn't happen sooner.

Given how often major news outlets seem to jump on "THE INTERNET IS BAD LULZ" stories, I wouldn't be surprised to see this picked up and used as a reason to push that internet browsing history law [1], or some other net neutrality thing. Does it make sense? No. Will it help anything? No. But logic rarely matters when you're trying to be alarmist.

[1] http://www.techdirt.com/articles/20110728/17280315306/house-...

I hope you see how

But logic rarely matters when you're trying to be alarmist.

is ironic when you're saying

I wouldn't be surprised to see this picked up and used as a reason to push that internet browsing history law [1], or some other net neutrality thing.

I realize, but reading Techdirt for any length of time is a really, really quick way to kill any faith you have in the idea of an open internet and/or fair IP laws actually going through, at least in the US.

Yes, but it could yet get worse. With the (slow news) weekend coming up, if the tabloids ran out of fodder and decided to run with this story, it could get very big indeed.

Bah, hit the reply limit. I wasn't specifically thinking about US media- UK tabloids would have a field day with this, for one. AirBnb is a presence in Europe as well...

Good thing we have a debt ceiling crisis going on, then!

they are lucky this is happening at the same time as the US debt ceiling. on a slower news cycle, this would have been on the nytimes front page

If AirBnB fails, it won't be because some competitor comes and takes the market, it will be because the whole model of renting apartments doesn't work. And given the success they've had in such a short time, safe the say the model DOES work. EVERY SINGLE COMPETITOR will face the same online/offline hurdles. Don't think AirBnB won't copy whatever their competitors do better in a second, and they'll still be recognized as the trail-blazers in this industry.

This kind of news could kill peoples appetite for the product, despite the business model, effectively killing the whole industry segment.

There's no real security in the process described. If they stole a wallet with a credit card, they also have the ID. I'd categorize it as actually harmful because it gives more of an illusion of security.

Couchsurfing apparently has someone capable of logical thinking on staff. The round trip of verifying an address adds real security.

It helps, but it still wouldn't protect you from someone serious on bullying a host or the system.

Meh. I'm sure when this is all over, AirBnb will have put some measures in place to add additional security (from a pr perspective at least). Really, nothing short of legitimate insurance is going to make using a service like this "safe" (id's are easy enough to steal/fake) and I'm sure that the people likely to use something like this (who were already ignoring the common sense dangers involved) are not going to be deterred by ej's story (she claims on her blog to have been the type of person to leap first and wait for a net to appear).

In the end, many people who were never going to use AirBnB to begin with will feel more certain in their (probably wise) decision, and many new people who will be open to the idea will now have heard of it for the first time.

I am a fairly frequent renter through these types of services (mostly use VRBO) because we have way too many kids and hotels are way too expensive.

Nobody has /ever/ asked me for ID. "Key is in the lockbox, here is the code! Have fun!" is the typical greeting.

I've been asked for an ID for both vacation rentals (through VRBO) and from most places overseas through AirBnB. Each time it was when there were some valuable items inside.

In fact, every time I've gotten a place through AirBnB, the owner met me in person. Of course, I always rent higher priced places (I look for places nicer than a hotel for the same price).

I'm surprised that scanning IDs is much of a deterrent. If would-be thieves are going to the trouble of booking rooms on AirBNB and the like, they are obviously more than casual criminals, and probably fairly technically adept ones at that. Taking the next logical step to Photoshop the image doesn't seem like much of an obstacle for someone so motivated.

Indeed, if Nigerian 419 scammers have already picked up photoshopping IDs [1], you can imagine what a low barrier this will be. The real question is if you can verify the ID electronically from the image, and the answer will generally be no.

[1] http://www.419eater.com/html/hall_of_shame4.htm

You might be able to use Hany Farid's work on doctored photographs to show they've been tampered with. See, eg, this interesting transcript of his Nova appearance.


Steganography/image manipulation is an arms race but you'll keep the low end fake IDs out. At some point in the race master criminals are going to go for higher value targets than random apartments on AirBnB. And... problem solved.

Some friends of mine started http://Tripping.com, which isn't about room rentals, it's about meeting strangers while traveling globally.

But, even since the beginning, their focus has been on security. I suspect that this is the advantage of having a female CEO / Founder. She grokked that as a potential problem from the very beginning.

Jen O'Neil, is one of the most fantastic young CEO's I know. The whole team is simply amazing.

As others have alluded to, it's trivial to photoshop an ID with different info and photo. You could use a stolen credit card and a modified ID to make a reservation.

That said, I'm more concerned with "email a scanned photo ID". Are they seriously having users send scanned IDs through email? Email is completely insecure and should NEVER be used for sensitive information such as an ID. IDs should be treated in the same manner as credit cards. Would you ever ask a customer to email you scans of their credit card? You'd lose your merchant account faster than you can say law suit.

When the major media picks up this whole rent-a-room-to-a-stranger-fiasco the bad guys will be AirBNB and the good guys will be the roomorama (and other competitors that capitalize on it)

No, when mass media picks it up, the hotel industry will be made to look like knights in shining armor... the hotel lobby is big and powerful and media is corrupt.

AirBnB's fiasco is not a long-term benefit for their direct competitors either.

Spot on observation. So, it is idiotic for the competitors to hit on AirBnB, since that is the biggest company in their budding niche and if that falls, well, nothing will remain. They should all try to minimize the damage to their biz model.

EDIT: Let me elaborate: Firms compete among themselves in a given field and all's fair in this competition. However, when the whole industry is threatened, you should gather forces, or else not to try to make your competitor look bad, because that will rub on you. Well-known example is the tobacco industry (their PR is relatively unified). If the consumer's trust in the whole industry is shaken (as in AirBnB) then it doesn't matter you are better than your competitors in this or that regard, people don't care.

I think roomorama.com's idea to increase vetting is a good start (along with black-list sharing, as nasty as that sounds to me)... but it's only a start.

It doesn't, for example, deal with stolen identity. A recently stolen card+ID would bypass all of those protections, and easily lead to a quick buck for meth-lab operations (which is what EJ's situation sounds like it was).

You're right, it is a step in the right direction but bad guys can still find a way through. This is true for many different scenarios, e.g. applies to car rentals, too, you can rent on a stolen license and wreck it.

What AirBnB and others should do is to gather statistical analysis on how often such things occur, what's the cost, etc. and make this widely known.

In fact this could be additional revenue for AirBnB: offer different levels of protection for $N extra (a la car rental companies, they love to sell you protection, or Best Buy, where the employees pester you continuously about protection.) When life gives you lemons, lick them, i.e. don;t run away, embrace the difficulty.

In the end bad things will always happen but you have to know that the company you use will protect you when it happens. No protection, no business.

Has anyone elaborated on the meth-lab scenario? I'd like to hear the economics on that. Wouldn't it be a lot of effort, planning, and personal risk for the bad guys to book the room through airbnb and then just trash it seemingly maliciously like they did?

If this really was a case of some kind of mobile meth-lab operation, shouldn't we expect a number of other cases like this going on with airbnb rentals?

I suspect one of the reasons that airbnb was slow to reimburse EJ is that details are so bizarre on the surface. I think the hotel industry conspiracy theories are absurd. But I am curious to find out what was really go on in that apartment for a week whatever it was.

I was just going with jonknee's assessment: http://news.ycombinator.com/item?id=2814395

My parents' rental house which got used as a methlab when the original tenants left without notice (and apparently left it open). Some of the imagery seemed familiar.

Conspiracy theories aside, I'm sure most folks familiar with airbnb were wondering when this moment would occur, and what the response would be.

That's only if you have a lot of investment pressure to take over the space and make a killing at it. If you're taking a much smaller long-term and slow growth approach with your own / angel coin then you're in a much better position to weather the storm, and yes you should take advantage of this situation imo.

I'm commenting more on the story the media will run then the end result. I agree that the end result will likely benefit lobbyists and hurt any consumer-to-consumer services.

Is that bad though? If people don't trust this type of service, why do we act like thats a bad thing and hotels are evil for it?

I don't see how they could bend this particular story that way. You'd have to have a contrasting narrative making hotels out to be superior -- but here it was the property owner that got screwed.

This should be their slogan. It minds me of Avis' old slogan "We try harder" (because we're second).

Unfortunately as good as the intent is, a malicious user with devious intentions can simply forge an ID or use one of the many IDs they've already stolen from their unsuspecting AirBNB hosts.

I believe the best solution for fraud is to require the user to take a webcam shot of yourself while holding the ID next to your head. I had to do that once to verify my identity.

The effort required to photoshop such an image (or paste your own picture on top of a stolen ID) is trivial compared to the effort required to forge or steal the ID in the first place. Thus, I don't understand how this would be anything other than an inconvenience to honest users.

Requiring IDs like this might actually facilitate ID theft because criminals could create fake host listings and then request all sorts of information like this in order to steal identities. Much easier than breaking into houses to steal them.

It's the roomorama service requesting proof not the users.

Oh I know it is in that service but I don't think that's what the poster I was replying to was suggesting. He's suggesting as a host that you do that (although perhaps I misunderstood).

Requiring IDs like this might actually facilitate ID theft because criminals might create fake host listings and then request all sorts of information like this in order to steal identities. Much easier than breaking into houses to steal them.

Roomorama doesn't scale. You could try to crowdsource some of the vetting responsibilities, or appoint community members to "check IDs", but then you get into uncomfortable privacy issues.

In a country with widespread use of fake ids, this doesn't mean a lot. Once you're past 21, what do you do with the IDs? Keep them for younger friends or throw them away?

Something like http://www.trustcloud.com could help in situations like these.

Another sign that AirBnb could care less about its customers.

When first AirBnb heard about this, they could've

a.) Choose to protect her and other users from future incidents

b.) Hide and hope it goes away

If they choose a, 5 weeks ago, they would've already either changed the business process, or blogged about it to their community to warn them of danger (heck, the perp hasn't been caught/IDed yet).

But because nothing was done, the fact that they kept outputting PR responses, and offered no tangible amount/receipt/proof that they helped her, tells me that AirBnb is all about the $1 billion valuation. Nothing more.

Actually, someone has been arrested in connection with this case: http://allthingsd.com/20110729/airbnbs-rental-nightmare-ends...

The victim is such a great writer Roomarama should hire her for copy and PR

This whole air bnb story is blown out of proportions.

Yea, when you open up your house for people you don't know, it can happen that you will get it trashed (honestly I am surprised this is the first time that it happened).

There is no such thing as bad press, and AirBnB is only going to get more exposure and users from this. Case in point : Godaddy http://news.ycombinator.com/item?id=2822946

Hardly a valid comparison. The CEO shooting an elephant has zero to do with the product GoDaddy offers, so there was no way that the negative PR would end up affecting perception of their actual product.

The AirBnb fiasco is totally different- it's not the errant actions of a CEO (although they hardly helped), it's an exposure of danger in the core of AirBnb's product.

Just because many people say "there's no such thing as bad press," that doesn't make it true.

- former CEO of a startup that got some bad press

Of course there is. Case in point: Color.

— My anecdotal evidence is loud

— Mine is even louder!!!

'We Don't Want to Trade Security for Volume' = 'we don't want to be successful'.


"We don't want to trade security for volume" == "Your screw up is our marketing"

As someone else noted, I'd never heard of this company before, but now I have. Currently my only real impression is that they're NY focused and are security conscious. I think they'll take that introduction.

That's the wrong way of looking at the situation.

For many observers, airbnb debacle is the first exposure they have to the online personal rental market. Roomarama is trying to remind people that the industry as a whole is not broken (it's airbnb being screwy, not the entire business model). And if they get positive marketing from it, c'est la vie.

I would agree with that statement in a much more mature industry, but in this new area its easy for ill opinion of a firm to translate to ill opinion of the industry as a whole.

Not necessarily.

Whether or not that is a sincere claim, I think it's saying they are the antithesis of "by any means necessary", more like "we have a set of (conscientious) principles to guide us".

Why the downotes? Some further explanation I guess: Early at PayPal, we had lots of competitors making pronouncements like this and what they seemed to miss is that the actions they were complaining about were the very ones that made us successful.

> "He made no inquiry into my current emotional state, my safety or my well being."

Airbnb definitely screwed up here, but she just sounds like a professional victim. Lots of homes get burglarized every day. On a smaller scale, everyone probably had a car broken into at least once. Yes, it feels bad. Very bad. But it's not THAT BAD. Not on a scale when you expect someone to inquire about your "emotional state, safety, or well-being" a month after it happened. Airbnb's handling of this case is a big failure, but it's not fair to blame them for someone being so damn sensitive.

Let's face it, she didn't do it out of sheer goodness of her heart. She did it for money. Letting strangers into your home does and always will involve some risk. If you're so vulnerable that you can't possibly take that risk - don't do it, period. It's simply not the right way for you to earn a quick buck.

Applications are open for YC Summer 2018

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact