One way not to deal with the problem is to remove your RSS feeds altogether – which, it is rumored, local blog network Gothamist (home of SFist) is considering doing in order to concentrate on the distribution of their proprietary content apps instead. I’m confident that is an extremely flawed strategy, but I digress.

My girlfriend Violet Blue runs a highly successful blog, tinynibbles.com (warning: content very NSFW), which suffers immensely from splogs republishing her content without permission. As I look after her server and the technical operations for her empire of sites, I decided to see if I could help solve this problem in a different way.

What I am about to go through is a tutorial on how you can really try to hurt someone who is leaching your RSS feed – to the extent that it damages and potentially destroys their splog operation. I am not a lawyer but I do not believe any of what I am about to go through is illegal – although I’ll admit that it is naughty.

In a nutshell…

…what we are going to do is intercept the requests from the target’s server for our RSS feed and divert them to a ‘poisoned’ RSS feed that contains both content warnings but also javascript that when rendered on their website will take over their page, rendering their site and advertising useless for anyone that comes to visit them. If you wanted to go further, you could also use this method to try to execute shell commands on their server, although at this point things become legally murky and ethically questionable.

This tutorial assumes you have some basic site admin skills, can access your logs and can set a .htaccess file.

So here goes…

Step 1: Identify your target

Chances are you’ve discovered someone republishing your content via a Google search or a trackback from the splog to your site. The first thing to do is to get the IP address of the site. Most splogs will request your feed from the same server as they serve their webpages from so this makes it easy to identify them when they come to visit your site to pull down your RSS feed. I’m going to assume that my target has the ip address 123.123.123.123

Step 2: Search your logs

Search your logs for any access to your site by this ip address. You might want to try:

$ grep "123.123.123.123" /var/log/access_log

where 123.123.123.123 is the ip address of the splog and /var/log/access_log is the path + filename of your web server’s access logs.

Hopefully you will have found some matches:

123.123.123.123 - - [16/Jan/2011:14:03:51 -0500] "GET /feed HTTP/1.1" 200 - "http://www.mysite.com/feed" "Mozilla/4.8 [en] (Windows NT 6.0; U) (880701279)"
123.123.123.123 - - [16/Jan/2011:15:57:13 -0500] "GET /feed HTTP/1.1" 200 - "http://www.mysite.com/feed" "Mozilla/4.8 [en] (Windows NT 6.0; U) (1416539927)"
123.123.123.123 - - [16/Jan/2011:20:31:40 -0500] "GET /feed HTTP/1.1" 200 - "http://www.mysite.com/feed" "Mozilla/4.8 [en] (Windows NT 6.0; U) (686799288)"
123.123.123.123 - - [16/Jan/2011:23:52:38 -0500] "GET /feed HTTP/1.1" 200 - "http://www.mysite.com/feed" "Mozilla/4.8 [en] (Windows NT 6.0; U) (2099013304)"
123.123.123.123 - - [17/Jan/2011:02:26:34 -0500] "GET /feed HTTP/1.1" 200 - "http://www.mysite.com/feed" "Mozilla/4.8 [en] (Windows NT 6.0; U) (1475562814)"

It’s worth pointing out this will not work if you directly link your RSS feeds to a 3rd party site like Feedburner, because the request from the splog never reaches your server. At this point sadly there is little you can do, as Google (Feedburner’s parent company) do not give you control to serve different content to arbitrary ip addresses. If you want to use a service like Feedburner, consider offering publicly an RSS url on your server that 302 redirects to Feedburner – achieving the same result while maintaining control of requests.

Step 3: Build the poisoned RSS feed

We are going to create a separate RSS feed that we will redirect the splog’s requests to. If they are creating a new page/blog post for every item in your feed, our new poisoned RSS feed will force their server to generate pages containing what we want to say.

At this point you need to decide how far you want to take things:

• Display a content warning explaining that they are reproducing your content without permission and you are unhappy about it
• Display images from TubGirl and other Shock Sites
• Hijack their page’s DOM and redisplay the page. Anyone accessing their site will only see your content, with all adverts and other links removed.
• Attempt to run commands on their server – eg attempt to delete files, elevate user permissions, purge the database, etc.

For my situation I decided to go for the first 3.

To create the poisoned RSS feed, you could save out your own current RSS feed and use that as a template. Replace the obvious text in each item with what you would like to say and save it back to your server. Alternatively you could just use my poisoned PHP script on Github.

My script will make their request’s IP address and other HTTP details appear at the footer of each page along with a tracking string so you can search in Google for any other places the are publishing too. It will also try to inject JavaScript that will manipulate the DOM so that when they or anyone else visits their site only your message will appear. Finally, the script outputs 10 identical items, each with a random GUID so that more pages are created each time the splog revisits as it will think each item is new each time.

As a bonus you can also set it to email you when someone access the poisoned feed.

Step 4: Intercept the splog request

The simplest way to divert requests for your RSS feed by the splog, and divert them to the poisoned RSS feed is to put the following into the top of your .htaccess file:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REMOTE_ADDR} ^123\.123\.123\.123$
RewriteRule ^(.*)$ http://www.mysite.com/poisonedrss.php
</IfModule>


Again, where 123.123.123.123 is the splog’s ip address.

Step 5: Sit back and wait

You can now sit back and wait until the splog requests your content again, at which point it will be directed to your poisoned feed. The splog will go on to ingest the poisoned content in it.

What will happen is that the splog will take each of the items in the feed and convert them to individual pages. Your poisoned content will get ingested into their pages, where if they are not running a correct level of character escapes, Javascript and other code will get executed when the end-user visits the page.

At first I thought was a strange choice, until it dawned me on that this WiFi company was essentially putting a marketing $ value on my Facebook account… Hand over access and they’ll monetize my account in some untransparent way in order to cover the cost of the not-so-free-anymore wifi.

It turns out BOLDstreet Wireless has built this out as a product which companies like Calgary Airport Authority can be purchase to track, monetize and analyize public wifi hotspot activity.

In true hacker mentality I logged in with a fake developer account I use for testing purposes – but whatever.

I forgot all about this until today when I was invited to do exactly the same – give permission for an app to access my Facebook account in return for a ‘free’ Häagen-Dazs ice cream.

Now, there is nothing new or usual about companies wanting to get a little information about your for the CRM systems in return for providing a free sample. But there are some stark and concerning differences created with this new approach:

• Unlike a survey which questions you directly, there is no transparency as to what information is being taken
• In addition to my own profile data, limited data about my friends is being handed over too.
• A fresh snapshot of this information can be requested at any time due to the fact permission persists until the user turns it off
• More personal data might be made available in the future as Facebook evolves the data they store about you – eg phone number

Perhaps one of the most concerning aspects of all this is the fact that BOLDStreet and Häagen-Dazs are potentially getting access about me through my friends using their service – data I did not give either company permission to have. In fact, I wouldn’t even know if they had this information.

There’s nothing new per se with the issue of applications having access to this data – this has been the case since day 0 for apps. However, one argument has been that socially orientated apps need this information in order to be able to provide a social experience. But this use case is certainly new and doesn’t warrant these types of companies gaining access about a user’s social graph in addition to the user’s personal details directly.

From my own experience, this is becoming a common trend. Facebook Connect certainly has advantages but it also has disadvantages too. Be careful who you are giving permission to your account to and make sure you regularly review the list of companies and apps with permission to access your profile (ditto for Twitter too).

It was interesting to read tonight that Microsoft’s chief research and strategy officer, Craig Mundie, isn’t sure whether there is a long term future for tablets such as the iPad.

“I don’t know whether the big screen tablet pad category is going to remain with us or not,” is what he specifically said.

I find the tablet space incredibly fascinating which is why I uncharacteristically rushed out and bought an Apple iPad on the day they launched last year. Being the first of its kind on the market, as a product manager and technologist I needed to understand how this new device genre would fit into our personal and business lives.

It was interesting to learn this weekend that my parents and brother (who all live together back in our family home in London) have kitted themselves out with iPad 2.

A year later and sans-iPad 2, while I remain interested in the space I do feel it is incredibly over-hyped. Everything, for me, screams of the NetBook era but all over again.

On the consumer side, NetBooks never really replaced an existing device but instead tried to create a new need – albeit one that was at a low enough price point that many people could extend their budgets too in almost throw-away fashion. But their size and sub-performance limited their true abilities and people got bored quickly.

On the business side, there was a rush to the bottom where manufacturers focused on making cheaper and cheaper units, ever more decreasing their profitability until it became financially uninteresting for major players like Dell to maintain any real focus on their NetBook lines (do you see any netbooks on Dell’s website?).

Everything I can see points to the same thing happening in the tablet market. If Apple want their tablet to be mainstream they have to offer a mainstream price-point, and expect to see all of the Android tablets sink quickly to dizzyingly low prices as competition heats up in 2012.

We’ve already learned that content creation and productivity, like with NetBooks, is hard and unsatisfying on a tablet. Lack of a real keyboard, weird viewing angles, whatever. Point is, tablets seem destined to be content consumption and reference devices – which immediately makes them an uber-luxury item for many folks. It also becomes questionable just how valuable tablets are to business if productivity apps are inefficient on the form-factor.

So maybe there is some merit in Craig Mundie’s argument that big screen tablets (ie ones 12″+) might disappear. I think he’s right to imply a lot of interest in the small screen tablet market (7″-9″) – which is currently dominated by the Kindle if you consider that a tablet. That smaller form-factor is cheaper to produce (ie less of a luxury) and more tailored to content consumption over creation/productivity.

However, strategy is often about making bets – sometimes going long, sometimes shorting, sometimes hedging. For a company of its size and dominance I don’t see how Microsoft can afford not to place a bet around the larger tablet market. It’s a competitive space (Google and RIM, not just Apple) but I can’t see how they can throw in the towel before they’ve even tried.

What I don’t see though is how this is stacking up to become the post-pc era. Content still has to be created somewhere, work still has to be worked on somewhere – and at scale, it’s not on the tablet.

photo licensed under CC license, thms.nl

Bill Schneier has highlighted two types of fraud currently occuring on the Amazon Kindle Marketplace due to lax copyright enforcement.

The first type of fraud stems from content farm behavior moving onto Kindle – with scammers sucking up content across the internet, uploading the content as Kindle eBooks to Amazon and then using fake accounts to review the books to obtain a good rating. Unsuspecting readers discover these books via search (because they are stuffed with keywords) and end up buying dud content. This is discussed in more detail over on Publishing Trends.

The second type of fraud involves eBooks uploaded to the Kindle Marketplace by people who do not own the copyright – which apparently is a growing trend given the prevalence of PDF based distribution by independent authors and those signed to more progressive publishers.

Incorrect priorities

When it comes to resourcing copyright enforcement within it’s Kindle Marketplace, I think it is a shame that Amazon continues to prioritize on penalizing its customer base while practically ignoring the rampant content abuse and fraud that is going on further up the chain within its own house. Authors are even complaining that Amazon is ignoring their reports of copyright violation and even DMCA take-down notices.

Instead Amazon would much rather stop readers from exercising their full right to copyright (such as being able to loan a book or even sell it on) by implementing such ‘protections’ into their software and devices, and even shutting down websites such as Lendle that try to facilitate the token limited degree of ‘loaning’ that is possible with some Kindle books.

The Kindle is a beautiful device and Amazon is doing some amazing things with content consumption and distribution elsewhere within their business. Their Amazon Cloud Drive which allows you to store and stream your MP3s is game changing stuff. But until they resolve these issues with the Kindle, I continue to be put off from buying one.

Photo CC licensed by JulesHolleboom.nl

Genetic testing startup 23andMe is running a ’1-day sale’ that removes their normal up-front testing fee of $199. The catch- you have to agree to subscribe to 12 months of their genetic update service, whatever that is, @ $9/m.

Seeing as I’ve had two friends ping me about the promotion, and its now ended up on Hacker News, I thought I’d write an off-topic on my concerns about the impact of genetic testing in this way.

For those that don’t know, I always expected to enter a career in bio-technology but as my understanding for the topic grew, so did my understanding of its implications and its (non-religious) ethical questions.

23 and John Doe

My advice to anyone thinking of doing genetic testing (be it 23andMe or another route) is to consider seriously doing it at as a “John Doe” (ie not using your real name and details).

Knowing you have a high susceptibility to a significant disease could have all sorts of implications for insurance – medical, life and even car.

In general insurance companies require you to disclose any and all information that you have that would be pertinent to them assessing risk. Clearly for medical and life insurance you knowing there is a high chance you will get Parkinsons (for example) is information your insurer would like to know.

Here in the US there are currently laws – such as Genetic Information Nondiscrimination Act (GINA) – to prevent insurance companies demanding this information.

However laws can be repealed. The health care and insurance industries are the ‘leaders’ in government lobbying. 23andMe could be aquired by an insurance firm.

Also consider laws differ in other countries, where insurance companies might be able to legally demand results. In Canada insurance companies can not only request it, they can demand you get this kind of testing before you can obtain coverage.

Consider further that databases can be hacked/stolen.

Think carefully whether you want your personal legal name and contact details all over the results of a test like this.

Photo CC licensed by hongiiv

Her piece focuses around the dreaded “BBC Editorial Policy Unit” which was set up to appese the fallout from the 2008 Russel Brand prank call debacle and the prior findings of the Hutton Inquiry. “Russell Brand-gate” was about Russell Brand being, well, Russell Brand albeit on a pre-recorded radio show where someone editorially should have known better, and the Hutton Inquiry was about the fact that the BBC ‘falsely’ claimed the UK government had lied about claims Saddam Hussain had Weapons of Mass Distruction in Iraq.

(Except, that it turned out that the BBC was right all along, but that only came to light years after the Labour-government initiated inquiry had performed it’s ‘duty’ and given The Corporation a good kick in the bollocks)

The Editorial Policy Unit (essentially an internal editorial watchdog), it is claimed, is stifling bold, innovative and risk taking content from being produced because the BBC is too afraid to broadcast anything that might create another Hutton Inquiry or Brand-gate.

And as a former BBC employee I would definitely agree we’ve ended up with a BBC that is afraid to take risks.

The reasons for this, however, go far deeper than just the Editorial Policy Unit – but into areas such as not having the budget for innovative programming because the Tory government has frozen the BBC’s income over the next 4 years (essentially a 17% reduction marked against inflation). Or the corporation being kneecapped from doing anything innovative or risk taking online because the findings of the Graff Report warned that the BBC might be stifling the commercial sector. Now whenever the corporation wants to do something new and innovative online it must perform a series of bureaucratic “Public Value Tests’ and market impact evaluations – in concert with the regulator OFCOM which takes years to compete.

So yes after the (editorial) kicking, (innovation) knee-caping and (resource) strangling the BBC has gone through over the past 5-10 years, yeah it pretty much is affraid to take another risk.

But isn’t that by design and as intended?

Graff Report, Hutton Inquiry, et al are all thanks to the desires of past and previous elected governments and the influence of the media industry as a whole but in particular Rupert Murdoch and The Guardian backed Association of Online Publishers (AOP). This is what everyone wanted, no?

It seems ironic that the publisher of the original piece by Maggie Brown is the main protagonist within the AOP that demanded the Graft Report in the first place.

And we, the British public, have let it happen – perhaps not realising just how lucky we were to have a public service broadcaster like the BBC that would take risks the like of which commercial sector would never consider doing. The promise that the commercial sector, now un-stifled from the BBC’s supposed market saturation, would step in and save the day has sadly not proven true.

So maybe there is a place for strong, risk-taking public service broadcasting after all. Maybe there is a something perverse about people whinging that they don’t want pay £145.50 a year for high-quality, advert free BBC content but then happily shell out £100′s every month to satellite and cable providers who’ve demonstrated about as much risk and innovation as a ham sandwich.

Because otherwise the severely handicapped BBC we have today is the BBC we all let happen. The gift we never really thought we’d miss until it began to disappear. Which it now slowly is.

“Cut the Crap” photo CC Jem Stone, a former colleague. The former Director General of the BBC, Greg Dyke actually commissioned these ‘yellow cards’ during my service at the BBC for rank-and-file staff to use in meetings if unnecessary impediments were getting in the way of innovative and important work being broadcast. Oh how times have changed.

Memories of an era when the BBC was innovative and risk taking:

BitCoin

I’ve spent the last few months researching BitCoin, which for those who don’t know is a p2p currency system that is (sort of) de-centralized and certainly delineated from any government control or intervention. There’s some pretty sophisticated technology behind it which ensures true scarcity (the fundamental issue for any economic model) but it also enjoys some impressive security features and seems to be incredibly solid on the privacy front.

What is particularly interesting is that you can essentially ‘mine’ BitCoins by running complicated algorithms on your computer (or servers) which is how new BitCoins are created (although that also creates an inflation factor in the market of course). If you are an economics wonk you’ll cream yourself over BitCoin. There’s already a ton of interesting thoughts on the cost of electricity to ‘mine’ a successful BitCoin chain vs the value of the unit of currency, plus numerous trading markets etc

Many wonder if BitCoin is legal – but that’s a superfluous question because it’s totally uncontrollable and the distributed nature means it doesn’t exist in any one jurisdiction. Certainly if it becomes a way for terrorists and organized crime to launder money then I guess we’ll really see governments stepping in.

Anyway, I’m seeing signs that BitCoin is about to move out from being an underground project and into mainstream focus over the next few weeks or so. It will be interesting to see some sunlight on it from existing financial world as I am still on the fence as to whether it is a folly or the early start of something significant.

PlayStation Network

Having (apparently) fixed their security problems, Sony have powered up the servers powering the PlayStation Network and reopened it to users. I asked on Twitter whether anyone would actually be jumping back in.

My guess is that kids who don’t care about the issues, and probably using their parent’s credit card anyway, will get straight back on there. As will die-hard gamers who prefer human-based competition as PSN is their only option.

But the growth and strategic opportunity for Sony Playstation Network is the ability to deliver services like Netflix, IPTV, games on demand, etc. The problem is consumers have many choices there, with competition not just from rival Microsoft XBox Live (and Nintendo’s next gen console) but Google TV (if they get their act together), Apple TV (ditto), Roku, Boxee, etc. While the same security problems could theoretically be faced by those vendors too, the bottom line is that they haven’t had those problems. And consumers are rightly worried about Sony’s security.

Google IO

Google IO happened on Tuesday and Wednesday this week – I’ve attended everyone since they began in 2007.

It costs ~$500 to attend Google IO (assuming you can get a ticket). The event takes place at the Moscone West conference center, where Google is required to use the conference center’s in-house catering company for all food and beverage. The rumor during the rounds at the event was that in order to meet Google’s own standards for quality of food, the ticket price for the event barely covered the cost per attendee for food (two lunches, evening reception and snacks). Frankly, those numbers add up to me. The food was the best I’d ever had a conference, and the logistics of feeding 5000 people is just insane.

But my point isn’t about the food. The point is that every year Google puts on one of the most slickest and highest quality conferences in the conference calendar, at one of the most expensive conference venues in the country. And it bankrolls with the ticket price being a mere drop in the budget. I’m guessing Google easily sinks $10m+ into those two days. It might even sink $50m for all I know – I have no idea what it costs to rent the Moscone West center for 2 days + setup and tear-down.

The announcements themselves were exciting and refreshing – like Google open sourcing all of its hardware accessory development unlike Apple which requires accessory makes to get their devices certified (ie pay $$$). But that’s for another post.

The point is I can’t think of another company that makes the level of investment into Developer Relations that Google makes. It’s really quite incredible.

Call to action

My weekend musings are based on things I observe and comment on during the week over on various social sites. If that interests you, make sure you follow me on Twitter and Quora, and keep across my Hacker News comments page.

Photo: my partner Violet outside of Google IO with the Android plushie Google gave me during my registration

I’m a firm believer in Creative Commons and copyright reform, and so I license practically all creative work I produce under a Creative Commons Non-Commercial Use Share Alike license. This includes all photos I take (even with my pro equipment) and all blog posts I write, including this one… basically anything which isn’t otherwise covered under an existing agreement with a client/etc or a personal photo of a family member (I don’t want those re-used) is CC-NC-SA.

The abuse of work licensed under a Creative Commons Non-Commercial License in a commercial setting – knowingly and unknowningly – is a well-written subject.

However it is sad and disheartening to discover companies that abuse the Creative Commons License who operate within the image/photo landscape and thus are placed to know better. It is even worse when the foundation of their entire company is based around this abuse.

Enter Fotopedia.

You can go read their mission about about creating a photo-based encyclopedia for humanity, but the bottom line is that they are a commercial entity backed by $3.4m of venture funding that contains mostly Creative Commons Non-Commercial photos as the foundation of their company’s database.

In addition to their venture funding, they sell mobile applications that contain a sub-set of photos, offer other mobile applications for free but with sponsorship/advertising and they solicit commercial partnerships on their website.

Fotopedia is clearly a for-profit entity operating commercially and thus their use clearly falls outside ‘non-commercial use’.

C&D > DMCA, for now

Rather than filing a series of DMCA requests, which I’m legally entitled to, I have decided to send them a formal Cease & Desist letter due to the fact that the Creative Common’s license produces some ambiguity. I’d also like to open a dialogue with them rather than simply embark on a DMCA notice/counter-notice play.

However it is a difficult situation because if I’m right, and Fotopedia shouldn’t have any CC-NC photos on their site, then I can’t see how Fotopedia has any business. I think the Fotopedia service at its heart is interesting, it’s just a shame that it is being run by a commercial entity.

I will keep you posted with their response, but in the meantime here is a copy of my Cease & Desist letter in full.

FOR THE ATTENTION OF THE OFFICER IN CHARGE OF HANDLING COPYRIGHT COMPLAINTS, OTHERWISE THE CHIEF EXECUTIVE OFFICER

Dear Sir or Madam:

Without Prejudice

It has come to my attention that you are operating a web site found at http://www.fotopedia.com. Your web site contains the following copyrighted images belonging to myself, Ben Metcalfe. These can be found at:

• http://www.fotopedia.com/items/flickr-2704019377
• http://www.fotopedia.com/items/flickr-54783051
• http://www.fotopedia.com/items/flickr-152520511
• http://www.fotopedia.com/items/flickr-2704845170

These photos have been licensed under the Creative Commons Attribution Non-Commercial 2.0 Generic license (http://creativecommons.org/licenses/by-nc/2.0/deed.en) and as such may only be used, reproduced or have copies made without permission of the original copyright owner in situations where there is no commercial activity occurring.

However your use of the above images on your website “Fotopedia” clearly falls under “Commercial Use” based on the following criteria (but not limited to):

• You are a Delaware Corporation having raised $3.4m of venture funding (http://www.crunchbase.com/company/fotopedia)
• You solicit commercial opportunities on your website (from http://www.fotopedia.com/company/mission: “For business and partnerships: partner@fotopedia.com”)
• On pages such as http://www.fotopedia.com/wiki/Apture, which includes a copyright image I own, there is an advertisment for your “Above France” iOS application which is a commercial application costing $2.99 in the Apple App Store.

As an aside, I would like to bring to your attention that you have attributed an incorrect Creative Commons license on mine and other images on your site. For example http://www.fotopedia.com/items/flickr-152520511 points to a CC-BY-NC 3.0 Unported license (with url http://creativecommons.org/licenses/by-nc/3.0/) when the original photo on Flickr clearly links to a CC-BY-NC 2.0 Generic license of a different url (http://creativecommons.org/licenses/by-nc/2.0/deed.en). While similar, these two licenses are not identical which further suggests a misunderstanding or bad-faith of Creative Commons Licensing on your company’s part.

Given the above, your use of these copyrighted images falls outside of the narrow permissions of non-commercial use under Creative Commons and as such you have neither asked for nor received permission to use these images, nor to make or distribute copies, including electronic copies, of same. I believe you have willfully infringed on my rights under 17 U.S.C. Section 101 et seq. and could be liable for statutory damages as high as $150,000 as set forth in Section 504(c)(2) therein.

I hereby demand that you immediately cease and desist use of these images.

Based upon the foregoing, I hereby demand that your confirm to me in writing within ten (10) days of receipt of this letter that: (i) you have removed the aforementioned infringing images from your site; and (ii) you will refrain from posting any similar infringing material on the Internet, Application or any other service you control in the future. If you do not comply with my request to remove the infringing images from the web site within ten (10) days from the date of this letter, you will leave me with no other choice but to pursue all available legal and equitable remedies against you.

Sincerely,

Ben Metcalfe
[address redacted]

His own account of what happened suggests that Zak made over-reaching assumptions as to his ‘rights’ to enter the US, that he didn’t have his paperwork in order and that he gave misleading answers to some of the questions the CPB offier asked him. Plenty of discussion on that in the HN comments.

However, the issue does raise a question that I’ve been wondered for some time – can non-US citizens legally participate on Y Combinator with just regular B1 visa or do they actually need a ‘work authorization’ type visa? And if so, is there even a US visa type suitable for legal participation in Y Combinator?

This would be a good time to give the health warning that I am not a lawyer, and all of these thoughts are simply based on my own experiences of working in the US on a visa for the last 5+ years and the knowlege of immigration and visa law that I’ve obtained over the years.

From Y Combinator’s FAQ here are some pertinant facts about participating in Y Combinator related to visas:

• You must physically be in the Bay Area for 3 months during the program
• You must setup a US company (which will either be your startup, or a subsidiary of it)
• Y Combinator will invest a small amount of money ($10k-$20k range) in your new entity for 6-7% equity
• During Y Combinator you will build out your prototype and seek investment

A B1 is the type of business visa most citizens of visa-waiver countries can obtain at the airport when you land (usually having applied for an ESTA online before hand). From Wikipedia’s B1 entry the activities you are allowed to do on a B1 visa are:

• Negotiate and sign contracts
• Purchase supplies or materials
• Hold business meetings or attend/exhibit at a convention
• Settle an estate
• Sit different types of exams and tests held inside the United States

Here are the issues, as I see them:

You are not legally allowed to ‘work’ for the startup on a B1

While seeking investment, and taking the meetings that go with that, would satisfy the first activity type of the B1, building your prototype (ie performing software engineering) while in America doesn’t. Y Combinator’s FAQ mentions that almost all foreign nationals can establish a business in the US – which is true – but you are not legally allowed to work for that entity (be it W2 ‘employment’ or 1099 ‘contractor’) without a visa and US work authorization.

You cannot self-sponsor a work authorization visa such as H1b

Depending on who you talk to it is either impossible or incredibly difficult to ‘self-sponsor’ a work authorization visa. Self-sponsor is when you own a majority or controlling stake in the business wishing to sponsor your visa – which if Y Combinator takes a 6-7% equity stake, the founders are still going to be considered to have controlling stakes.

Once you have board of external directors (eg investors) who have the ability to fire you, obtaining this kind of visa becomes more easier – but this of course creates a chicken-and-egg trap because you can’t get those investors until you’ve participated in Y Combinator and if you already have them you are unlikely to be wanting to do YC.

E2 Investor visas (which seem most appropriate here) are no good for venture-backed businesses

The US has a visa category for foreigners wishing to establish a business in the US – E2. It’s relatively easily to get and there’s no quota. You just have to invest $100k+ of your own money. The issue here is that most startups don’t need that kind of money during the very early stages of life, and many entrepeneurs don’t those kinds of funds available anyway. Rules state that the E2 holders can never lose less than 50% controlling stake in their company, and as such you would almost certainly never be able to raise venture capital on those terms as there would be a cap on how much investment you could ever take and no method of exit without nullifying the founder’s ability to continue to work in the US.

It usually takes 6+ months to get any kind of work authorization visa

It depends on which country you live in and the backlog at the local US embassy, but obtaining most work authorization visas can easily take 6+ months. Y Combinator, as I understand it, gives successful candidates only a few months notice at best that they have made it into the program. H1b’s, a common work authorization, have a minimum amount of time between application and date of issue to make absolutely sure the sponsoring company can’t find a suitable US citizen to perform the work (which in itself indicates this is not really an appropriate visa type for a founder).

You must prove there is no immigrant intent

Finally, anyone entering the US without an immigration type visa (B1 is a visitor, non-immigration visa) must prove that they do not have immigrant intent. The onus is upon the individual to prove that they do not, not on CBP to prove that they do.

Establishing a US business with the intention of finding investors to invest, and specifically needing to create a US-based entity because US investors don’t want to invest in foreign based companies, doesn’t particularly lend itself to demonstrating clear non-immigrant intent and that everyone is going to pack up and go home when things are done.

My own anecdotal evidence suggests that most foreign participants in Y Combinator do go on to establish living here in the US.

To be clear – I personally have no problems with people wanting to come and live in the US and create their startup in the US. But I raise this because it’s the open-ended ‘gotcha’ UCIS and CBP use to deny entry so often. How do you exactly prove you don’t have the intention to do something?

So what of it all?

I love Y Combinator. I love startups and entrepreneurs. I am a foreign national living in the US who wishes the visa/worth authorization restrictions on entrepreneurs were a lot more relaxed AND welcoming.

Zak, our original protagonist in this story probably would have got past CBP if he had his paperwork was in order and had been briefed on what to say/what not to say. But that doesn’t mean his participation in YC would have necessarily stayed 100% within the B1 visa type.

And so I remain perplexed as to exactly what visa type foreign nationals wishing to participate in Y Combinator should be on – and in fact whether any of them are actually suitable or applicable.

We all know the visa situation for startup entrepreneurs is broken, and something like Y Combinator is somewhat unique anyway.

But with stiff penalties for ‘fraudulent’ visa application and missrepresentation at the border – potentially as much a permanent bar from ever entering the US again – I can’t help but feel Y Combinator has a greater responsibility to the often young and slightly naive (case in point: Zak) entrepreneurs it courts to be clearer on the exact visa their partipants need.

I would go so far as to say that Y Combinator needs to clearly and formally demonstrate how participation by a foreign national is even legally possible given today’s fucked up visa situation.

Footnotes: I love Y Combinator, this isn’t a bash at Y Combinator in any way. I should also remind you, I am not a lawyer. If you are a foreign national looking to work in the US you should have an attorney anyway.

In my consultancy practice I tend to work with larger corporate/enterprise technology clients who want me to help inject a bit of ‘startup mentality’ into their innovation and engineering processes. Having the right execution team is often crucial to anything I do so getting like-minded employees on board is often one of the challenges to be faced as part of a project.

And so here’s the bottom line: talent acquisition deals almost always baffle me as it seems like the same amount of money could be used to just pull and retain A1 talent from your (more sexy?) rivals instead. Take the following scenarios for example:

Scenario 1
BigCo buys BombedStartup for $4m as an acqhire deal. The two founders probably get < $500k each and a $150k salary at BigCo - maybe with a 1-2 year handcuff (ie they only see all of their $500k if they stick around for the handcuff period). The rest of the 8 employees get their tiny %age (maybe enough for a new car or a nice vacation) and the investors get the rest of the cash (with liquidation preferences, low exit compared to amount raised, etc that might mean $3m+). 1/2 of the employees don't accept BigCo's job offer and leave, and by end of the two years no one from BombedStartup is still there - they're all entrepreneurs and want to get back into the game.

Compare with

Scenario 2
BigCo wants to hire 4 key, strategic engineering hires from RivalCo. They would normally be paying folks like them $150-$200k anyway, so they take the $4m they would normally have spent on the ‘acqhire’ and offer each of them $1m cash over 4 years plus their base salary (ie $450k/y cash salary, guaranteed for 4 years, perhaps with the non-base as a performance/vested structure). This is in addition to any stock grants.

In scenario 2, with that kind of comp on offer you could probably treat Google’s engineering roster like a menu at a restaurant and just pull who you want out. Ditto for later stage Facebook employees who don’t have quite as nice an equity comp. I’ll assume BigCo has something going for it, in terms of being a relatively attractive place to work even if it isn’t Google or Facebook.

There are all sorts of additional upsides with scenario 2 too.

Firstly, you’re going to get precisely who you strategically need (data scientists, virtualization gurus, mobile developer rock stars, etc). In scenario 1, perhaps one of the founders was working with big data, but he may not be ‘guru’ status. Scenario 2 lets you pick who you want.

And because none of your budget has gone to investors (who to you, add nothing to the equation) you’ve got all this extra capital to retain the talent over a longer period of time. Halo effect also means that once these strategic hires are in place you’re also going to be able to attract more talent because of who is already on your bench.

Finally, as a final win, you’re going to cause your rival a world of pain because they lost the key talent. (Machiavelli dotBen strikes again)

In both instances BigCo spent the same amount of money, but to me the second option looks way more attractive, useful and sustainable in terms of getting talent to stick around.

In reply to a draft of this post, Dave McClure points out this is also about obtaining teams that have a proven record of executing together. I totally agree, but there is no reason why you couldn’t try to pull all 4 strategic hires out of the same team at the same company.

What do you think?