Opinion

How come Airbnb has few true competitors, while Uber has so many?


Uber and Airbnb have been described in the above terms so many times now that it’s almost a no-brainer to use one company to the explain the other;
“What Uber is to taxis; Airbnb is to accommodation” or vice versa.

While the two companies differ vastly in culture and tactics, they do have quite a bit in common;

  • They are the poster children (at least until Uber’s fall from grace) for the wave of startups disrupting traditional industries with technology
  • Both are marketplaces and adopt a business model described “network orchestrators” for their role in aggregating an industry and facilitating trust, relationships and transactions. The uniqueness of this business model is credited for both companies have attracting huge amounts of venture capital at valuations that dwarf their publicly listed, traditional competitors
  • Both are consumer facing applications
  • They bring together buyers and suppliers and earn a transaction fee for making it happen
  • Both are looking to unlock economic value from dormant assets. Airbnb enables people to rent out unutilized space/rooms to travelers while Uber enables any driver with a vehicle and spare time to become a taxi

However, the current status of the companies could not be more different
Leaving aside Uber’s drama with culture issues and top management changes, still leaves the stark contrast between the competitive market positions of the two companies. Airbnb arguably has no startup competitors. If anything, its direct competition comes from incumbent like Booking.com trying to get in on its turf, to protect their existing business model. Uber on the other hand, has severe direct competition in almost every market. In some cases, like Didi in China, these competitors have proven strong enough to oust it from the market entirely.

Uber also recently existed 8 countries in South East Asia, ceding them to Grab. Even leaving aside Didi and Grab, it faces a bunch of strong competitors, with a lot more startup tenacity than Airbnb’s competitors in the form of Go-Jek, Ola, Careem, Cabify etc.

This is surprising, as Uber and Airbnb are also similar in two key aspects that determine the defensibility of their business model.

  • From a purely software point of view, both businesses can start with relatively simple apps, without needing an army of developers or a hefty development budget. Build a minimum viable product and you’re ready to start marketing to on-board new drivers/properties!
  • Both companies have to win uphill battles to be accepted by regulators and incumbents (taxi driver unions, hotels), in each new market they enter. Once they do, similar new entrants can ride on their hard won legitimacy. This creates a tangible second mover advantage, as competitors can then focus on growth instead of politics.

So what explains the intense competition that Uber faces globally, relative to Airbnb?
For one it might be due to global vs. local network effects as explained by this article. The thinking here is that Airbnb benefits from global network effects while Uber only enjoys local network effects. For example, an Airbnb listing in London is beneficial to a traveler from Sri Lanka as much as it is to a traveler from US. Thus, Airbnb benefits from its global inventory.

On the other hand, taxis in San Francisco have no relevance for a rider in New York. Hence Uber, needs to start from scratch every time it enters a new market. For Uber’s local network effect to kick in, it needs to recruit drivers, build partnerships and market itself to riders. If a sufficient volume, of riders and drivers sign up, it becomes attractive for more to join. These local network effects mean that Uber’s global brand is of limited use in any specific market. Any local competitor that nudges ahead by winning more riders or drivers, can run it out of a market.

Somewhat tied to the above, but perhaps a reason in itself, is the fact that Airbnb’s model scales better than Uber. For example, to enter new territory Uber needs at minimum a small team to sign up drivers, spread awareness among consumers and handle relationships with local governments and unions. Airbnb on the other hand, could get hundreds and thousands of listings from property owners who wanted to be discovered by travelers, without having to put in this kind of effort or investment. As long as its global brand is well known and its site receives traffic from prospective travelers, it is useful for property owners to get themselves listed.

To its credit, Airbnb also managed to create value beyond simply offering convenience and cost effectiveness. By marketing itself as a way for travelers to ‘live with locals’ and to immerse themselves in the culture of the place they are visiting, Airbnb has created a truly differentiated offering, that can take on the traditional hotel industry. The Uber business models on the other hand, is still too focused on ‘hygiene’ factors which could be matched and surpassed by nimble local competitors.

Both these companies have transformed the world and profoundly influenced how we travel both locally and globally. But one seems destined to keep losing more battles to local competitors and subsidizing rides to stay competitive while the other is gradually tightening its grip around the global market it set out to capture. A telling lesson on the importance of understanding the full intricacies of one’s business model, for all aspiring disruptive startups.

References
https://www.forbes.com/sites/valleyvoices/2016/08/17/airbnb-uber-and-marketplaces/#723254de7bd5
https://hbr.org/2014/11/what-airbnb-uber-and-alibaba-have-in-common

Opinion

GDPR is a big deal; even for outsourced development agencies that collect no user data

Coming into effect in a few short days, the EU’s General Data Protection Regulation (GDPR) is set to bring about the greatest change to European data security in 20 years. Replacing the 1995 Data Protection Directive, outdated in the age of social media and “smart” mobile devices, the new regulations require companies that collect data on EU citizens to comply with strict new rules.

Companies are expected to implement initiatives for safeguarding data and take technical and organisational measures to individuals’ privacy rights.  GDPR places the obligation on companies to prove their accountability, requiring that they be able to demonstrate GDPR compliance and that reasonable measures have been taken to grant individuals’ rights over their data security. Companies are also required to ensure systems and processes are in place to test, monitor and measure data security at any given time.

As an external development partner to many clients in Europe Calcey collects no data from EU citizens directly, that brings it under the purview of GDPR. We have also already minimized access to sensitive data of clients, a quick win and a crucial step to reduce our exposure. While the maxim that you can’t lose (and in this case misuse) what you don’t have is logically sound, actually complying with GDPR requires a lot more. What follows is what we’ve learned and done in preparation so far, to gear up for changes post 25th of May.

A quick summary of GDPR

GDPR requires not only that organisations maintain records of the categories of data they process, the recipients of that data and their geographical whereabouts, the retention periods and security measures that have been applied, but also that these records be dis-closable at any given time.

Take a minute to consider this. The exercise of an individual’s rights over their personal data can only truly be effective if an organisation’s technology stack is fully flexible and agile to delete, restrict processing and export data as and when the individual (or data subject) demands. The challenge, then, that many organisations have been faced with is that their technology and processing systems have not been designed for GDPR compliance.

The core individual rights covered by the GDPR that require the most technological attention are the ‘right of erasure’ (the right to be forgotten/deleted from the system), the ‘right to redaction’ (data can be kept, but is marked “restricted” and cannot be touched without further consent by the user), the ‘right to data portability’ (the ability to export one’s data in a machine-readable format), the ‘right to rectification’ (the ability to get personal data corrected), the ‘right to be informed’ (getting readable information, as opposed to long T&Cs), and the ‘right of access’ (users should be able to see all the data collected and stored about them).
The technology these rights require, in turn, include technology to:

  • Enable rectification, redaction, erasure and anonymization
  • Map or trace the full information life cycle
  • Enable the transmission of personal data from one technology stack to another
  • Perform search and retrieval
  • Enable freeze and suppression
  • Categorise personal data by type and processing purpose

To be compliant processing systems will be required to include controls to protect against unlawful and/or unauthorised access or disclosure of personal data and include up-to-date countermeasures against current attack techniques.

Technologists, have their work cut out for them in the era of GDPR and must take information security seriously. Continuous steps and improvements to systems will be needed to ensure compliance.

Privacy can no longer be an afterthought

Privacy, for instance, should be built into software from inception and should be at the core of any system and not be installed with a plugin. Privacy cannot come at the price of an app’s functionality and users should not have to choose between privacy and functionality. Such software will become illegal under the GDPR.

A pertinent point for companies to think about could prove to be ‘pseudonymization’, heavily recommended by regulators as a way of protecting personal data. ‘Pseudonymization’ is the processing of personal data in manner that the data can no longer be attributed to a specific data subject without the use of additional information. That is personal data is stored separately from additional information so that in the event of a breach, the data would be hard to reconstitute. For example, a person’s name would be kept separately from the history of his actions on an app. This way in case of a breach, it would not be possible to match an individual and his actions. While adding an additional layer of security, implementing pseudonymization demonstrates a commitment to security, which can be useful under GDPR in the event of a breach.

Consent is set for an overhaul

Further to be deemed unacceptable under GDPR are soft opt-in methods and consent buried in long Privacy Policies or Terms & Conditions documents full of legalese. GDPR consent guidelines require that consent messages should be written in plain language and unbundled from all other terms and conditions. The information must cover all forms of processing that companies aim to undertake. Take for example, the common practice for companies to collect data to share with third parties for marketing reasons. Consent is often obtained by asking customers if they would like to receive marketing relevant to their interests (e.g. from travel agents). Current guidance by authoritative sources indicate that even such precisely defined categories of third-party organisations will not be acceptable under the GDPR. Instead, companies and all third-parties will need to be named and the purpose of the data collection explicitly stated.

All opt-in messages and collection systems will need to be checked and re-written where they don’t comply with GDPR. Consent records may need to be maintained as well, so they can be presented if challenged. System design changes may be required to ensure that systems are in place to provide evidence that users consented to specific uses of their personal data.

In the event where users request that their data be removed, companies will need to ensure comprehensive processes are in place to remove this data. This means deleting personal information, as well as other identifiable data, within a 30-day window once a request is made. Having an automated system that can perform this may become a necessity and well worth looking into, as manually removing data laborious. Developers will also need to plan how the information requested can be made available in an easy to understand format. Here, again, the law requires information to be provided within 30 days of a request. Having a system in place to monitor data breaches is also necessary to ensure quick detection and action in the case of a breach to minimize damage.

What can service companies do to face the brave new world?

GDPR is spawning an industry of its own as newly minted “GDRP consultants” offering everything from advice and audits to outsourced “Data Protection Officer” offerings, set up shop. The lack of clarity and direction regarding implementation casts doubt about the validity and effectiveness of such interventions and certifications to ensure compliance.

Calcey being a software services company providing engineering talent to fast-growing technology companies is unlikely to become a data controller, at any stage. Instead, Calcey is already a data processor, due to current engagements with European clients. Hence, Calcey preparations for GDPR is focused the following;

  • Getting Data Protection Agreements in place with data controllers to formalize governance of data
  • Educating staff about the requirements, risks and responsibilities created by GDPR
  • Minimising access to sensitive data and using anonymisation/pseudonymisation to minimise risks in the event of a breach
  • Conducting an internal audit to identify, assess, mitigate and minimize risks, even though Calcey’s exposure to sensitive data is minimised by the above

Of course, much more remains to be done. GDPR is certain to become an on-going theme and will be a key consideration in all future architecture discussions when new projects are being initiated. The tight coupling of functionality with user data is already a thing of the past.

The transition to comply with the new regulations will be chaotic and will re-shape the internet economy. How the many successful internet giants who rely on businesses models where users exchange personal information for free services, will evolve, remains very much an open question. Stay tuned for more blog posts around the topic, as we along with the rest of the world, continue to grapple with this new reality.

References
https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations_en
https://gdpr-info.eu/
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
https://www.dpnetwork.org.uk/opinion/gdpr-consent-ico-draft-guidance/