Fog Creek Compensation

At Fog Creek Software, the way we make sure that people are paid fairly and rewarded for excellent work is based on a professional ladder.

Historically, our ladder is based on Microsoft’s professional ladder, which was adopted and publicized by Construx. Many of the guidelines you see here are blatantly copied from there, with minor modifications for the culture we are trying to create. The categories also correspond closely to standard US corporate compensation practices as documented in this book by Michael O’Malley.

Fog Creek explicitly recognizes that many good software engineers have no desire whatsoever to do “management” or to take on a formal personnel management role. One of the purposes of the Fog Creek Professional Ladder is to create a career path with promotions for engineers who simply do not want to do management stuff at all. We want to avoid the trap that many companies fall into of forcing good programmers to stop programming and start managing people, if that’s not what they want to do.

For various irrational reasons, nobody likes to be a level 1 or 2, so HR departments have always historically started the numbering with a higher number. So all Fog Creek software engineers are ranked at one of several different levels, level 8 through level 15.

Briefly:

  • Level 8 is for interns.
  • Level 9 is where new college grads, or people new to the industry, generally start. Then they work their way up to:
  • Level 12, which is full professional status. Most people won’t go beyond this level.
  • Level 13-15 can be achieved only by making significant, above average contributions both to Fog Creek and within the field of Computer Science.

Our official titles will be:

(8) Technical Intern
(9-12) Member of Technical Staff
(13-15) Fog Creek Fellow

“Member of Technical Staff”, a.k.a. MTS, is the classic title that all researchers at Bell Labs were given in their heyday. It’s neat and egalitarian.

When we decide to hire someone, the interviewers who were involved in the “hire” decision will sit down with the candidates resume and salary history and figure out what level they will start at. After that, every six months, Fog Creek management will review the performance of everyone in the company with the goal of making sure that people are at the right level. It is most important to make sure that people are grouped in the same level with other engineers who are their true peers. At this point it might be appropriate to promote some people to a higher level. We will also compare our salaries within each level to the competitive norms to make sure we are paying market salaries, at which point people might receive a raise.

A word about performance reviews
Many companies use regular, formal performance reviews as a “carrot/stick” incentive system to obtain performance. For various reasons discussed here, we tend not to like this system. In principle, managers should give their reports constant, regular feedback, positive and negative, on the quality of their work, in the “One Minute Manager” style. (If the negatives tend to pile up, we’ll start logging them. Nuff said.)

Our biannual reviews are done internally by management; they are not intended as a way to give employees grades or gold stars. Their goal is simply to make sure people stay at the right level and are recognized when their work improves with experience.

Everybody is different, and their skills and aptitudes may show up in different ways. One excellent contributor might write a ton of great code; another’s strength might be in getting teams to jell and work together. It’s impossible to use hard-and-fast metrics to decide where someone fits in, and these kinds of metrics tend to accidentally incentivize the wrong things. Instead, we have a bunch of heuristics which tend to provide an accumulation of evidence that a given engineer belongs in a given category. When we’re done applying them, we look at some of the other people in that category to determine if we got the right result. Nothing is carved in stone except the principle that within each group, people should be true peers.

Transparency Policy 
In the interest of fairness, Fog Creek’s compensation policy is open, public, simple, and accountable. Many companies try to obfuscate the rules they use for determining compensation in hopes that they won’t get caught paying some people too much and others too little. Some companies actually consider it a firing offense to reveal your salary!

We feel that in the long run, this can only hurt us through negative morale, high turnover, and destructive office politics. Therefore, the policy in this document is publicly available. People have a right to know what the levels are and what they mean. Everybody has a right to know what their colleagues’ levels are.

Similarly, the rules we use to determine salaries based on levels and other factors are simply, easy to understand, and public knowledge.

Yes, that means you can figure out what your coworker is making. So what? People in public service, the army, the police, and unions can all figure out what their coworkers are making. This transparency policy is a good thing that forces Fog Creek management to keep things fair.

Determining Levels

Here are the heuristics we use in determining what level someone is at.

Years of experience

  • Summer interns, high school kids, people still in college: Level 8
  • New college grad or new to professional software engineering: Level 9
  • 1-3 years: Level 10
  • 2-8 years: Level 11
  • 6 years or more: Level 12 or higher

Enabler

  • Someone who serves as a leader or catalyst, who consistently and exceptionally enables other people to do their jobs better: one higher level than they would otherwise deserve, not to exceed level 12. This is meant to recognize people who motivate, rally the troops, improve morale, and provide leadership beyond their normal level. It doesn’t go beyond level 12 because level 12-15 should be doing this anyway.

Academic experience

We don’t care too much about degrees, because they don’t correspond all that well with skills for software engineers. A lot of newly-minted PhDs are sorely lacking in practical software engineering experience that some BAs with one year experience may have.

  • No bachelors yet: Level 8
  • Bachelors or Masters degree: Level 9-15
  • PhD: Level 10-15

Strategic Role

Most people fall into four rough categories based on the type of work the are doing. These categories are quoted from Chapter 2 in O’Malley.

  • Strategic. These people sit around thinking “lofty thoughts about markets, products, the competition, and the like. They determine the general direction of the company and set the short-term and long-term financial and non-financial objectives of the company.” Level 14 or 15.
  • Tactical. The people who have to figure out how to execute on the strategist’s ideas and “send the troops into battle”. Level 12-13
  • Operational. The people who “make things happen in the right way, at the right time, with the right people, at the highest quality, etc.”  Level 11-12
  • Executional. These people actually – eep! – do the tasks. Level 9 -10
  • Learning. My own category for interns who are basically learning how to do things. Level 8.

See the book for guidelines on deciding where someone fits.

Programming Maturity

These categories are stolen from Construx, who, in turn, stole them from Microsoft (so there).

  • Someone who is learning the basic principles of software engineering on an internship basis, and who works under close supervision and is not expected to write production code. Level 8.
  • Someone who works under some supervision and occasionally writes production code. Level 9.
  • Someone who has some background in software engineering and is qualified to write production code without much supervision, although they probably aren’t designing anything. This person will be expected to learn the software development lifecycle practices, methods, conventions, and standards of the computer industry. They understand and practice the skills of The Joel Test. Level 10.
  • Someone who is familiar with industry practices and therefore can work independently as necessary. This person proposes design approaches for review and agreement from peers and his or her supervisor. This person has worked on one or more shipping projects, and has experience in each of the basic software development lifecycle steps needed to ship a product. This person is very competent in nearly all code-centered, detailed-design centered, and task-centered areas, and demonstrates additional competencies in other software lifecycle areas. Teamwork skills are excellent. Level 11.
  • Someone who has consistently had major success during their participation in all aspects of small and large projects and has been essential to those projects’ successes. This person has a track record of consistently rendering clear technical judgment and routinely considers architecture-level and project-planning issues. They ensure that projects are conducted in ways that benefit the project objectives, the people participating in the project, and Fog Creek’s long-term interests. They are innovative, consistent, and contribute beyond the assigned tasks. They are mentors to others. They actively seek accountability. They have achieved mastery of The Joel Test. Competence extends to architecture, user interface design, project planning, and other project-level issues. Teamwork skills are excellent. They are committed to a self-study program, reading books and journals. Level 12.

  • Someone who has been critical to shipping a world-class product. This person takes total ownership for all aspects of their project and makes many unique contributions. This person’s decisions have a significant impact on Fog Creek’s profitability and overall well-being. They routinely provide technical direction to other groups and people. Their competence extends well beyond project-level issues to company-level issues. Level 13.

  • Someone whose areas of competence extend beyond company-level issues to industry-level issues. Teamwork skills are excellent at the project, company, and industry-partner levels. This person contributes regularly to the industry through publishing papers, making conference presentations, teaching classes, and participating in technical committees. Level 14.
  • A industry-recognized leader within the software engineering field. This person consistently works to design and produce groundbreaking, world-class products, or in advanced research. Level 15.

Components of Compensation

Salary

Fog Creek will maintain a simple schedule of salaries based on level. We don’t really know how to divide people up with more granularity than our ladder, so, for purposes of fairness, there is no salary variation within a level. However, we will have:

  • Cost of living adjustments for different markets. Since we’re starting in New York City, this won’t apply at first. If we hire people in other cities, we will simply use industry-standard COLA adjustments to set salaries in other cities.
  • Educational adjustments. We may need a different scale for people with masters degrees or with PhDs if we find that this is necessary to offer competitive salaries.
  • Superstar adjustments. There may be certain superstars that we wish to recognize, even though they do not yet fit in a higher level. For morale reasons, these people should probably not exceed 10% of the members of a level, and they must be universally acknowledged and recognized by their peers as superstars so that their adjustment is not considered to be unfair. These people will receive 50% of the difference between their level and the next level up. For example, if Level 9 pays $100 and Level 10 pays $120, a Level 9 Superstar will get $110. Superstar status, once granted, lasts until the next promotion, after which you have to earn it again.

How do we know what the right levels are for salaries? There are two ways. One, we can subscribe to surveys and try to track how we compare. More importantly, we can try to get a feel for the salaries that we have to offer people in order to get them to join up: if we’re losing a lot of new hires because our salary structure is insufficient, we have to raise salaries; similarly if we never have a problem getting people to accept an offer, it’s ok for salaries to stagnate for a while until the market catches up. (It goes without saying that it’s never a good idea to lower salaries.) Once we are hiring on a regular basis, I think we’ll be able to figure out a metric like “percentage of people that decline our offer primarily because the salary isn’t enough”, and decide what an acceptable number for this metric might be.

One thing I suspect is that our great benefits (see below), especially our six weeks of vacation, means we will be able to pay 5-10% less than other employers who have run-of-the-mill benefits.

Bonus

Bonus plans have too many problems.

They’ve become like tips in restaurants: everyone expects one, so they can no longer be used well to reward good performance. They are too indirect: year-end bonuses just are too far removed from the actual work to serve as a useful inducement. And they tend to create as many negative feelings and politics as good morale.

So we don’t have bonuses. Instead we have:

Profit Sharing

This is a way to reward the whole Fog Creek team collectively when we have good years. Profit sharing is at the sole discretion of management. Each year, Fog Creek management will determine what total dollar amount should be awarded for profit sharing. It might be 0 in fallow years. It could be a lot more. This amount will be prorated according to salaries and percentage of the year that people worked, so every employee will receive a part of the profits amounting to an equal percentage of their salary. Profit sharing is based on the performance of the entire company, not the individual. (Also, there is no penalty for quitting the company before profit sharing is paid: if you do this, you’ll still get your prorated profit share for the part of the year that you worked. This policy is to prevent getting a wave of people quitting every January and screwing up our lives).

Benefits

Benefits are given equally to all full-time employees. (We may end up with categories like intern and temp with more limited benefits). Some employees may get more “value” out of their benefits than others (e.g., if they use the health clubs).

We have a long menu of benefits that we want to offer. I should mention that Fog Creek is just starting, we’re a new company, and we don’t have a lot of cash. That means that these benefits haven’t kicked in yet. They will as soon as we can afford them, but I don’t want any misunderstandings 🙂 As time goes on and our cash position becomes stronger, these benefits will start to kick in.

  • six weeks vacation every year
  • three weeks training every year
  • full health, dental, life insurance, disability insurance, prescription eyewear, orthodontia
  • immigration legal services
  • health club membership
  • free gourmet lunches
  • free soft drinks, coffee, tea, and snacks
  • free Internet access from home, including a free email and web hosting account that is not associated with Fog Creek in any way. In markets where DSL or cable access is available, we’ll pay for it
  • all travel is business class, and you will never have to be away from home on a weekend
  • concierge services
  • free professional books, subscriptions, and free memberships in professional organizations
  • 401K
  • stock options (see below)
  • employee stock purchase plan, if we go public
  • relocation reimbursement
  • great work environment, with the goal of every engineer having an office with a door that closes
  • departmental morale budget for fun stuff (movie passes, free PalmPilots, etc)
  • great equipment – we’ll have a pretty high budget for computer stuff, so if you want 3 screens, a dual processor Pentium, AND a Vaio laptop to take home, you can probably have it.

Stock Options

Stock Options are weighted heavily to compensate the people who take the most risk, namely, the people who join Fog Creek when it’s just a wee tiny company and we’re all jammed into one tiny office and we can’t afford to buy your kids braces and sometimes you have to change the Poland Spring yourself.

As the company grows, the initial package of stock options offered to new hires will be lower and lower. At any given time, stock option awards are equal based on level. Once a year we’ll grant people more stock options.

Stock options are not intended to replace salary. I hate companies that say “we’re only going to pay you half what you’re worth, but the stock options will make you a zillionaire when we go public!” Fog Creek might not go public. You might not become a zillionaire. But you still get some stock options, so that if we are a huge success and we do go public, you won’t be left out.

Startup Bonus

Generally the startup bonus will be about 10% of a new hire’s salary and comes with the first paycheck. If you leave within 12 months for any reason, you have to pay it back.

Changes in Compensation

In order to remain market competitive at all times, we are constantly reevaluating our salary structure. If we notice that we’re having trouble attracting people because our compensation is not competitive, we’ll raise the base salaries — which affects everyone in the company, not just the new hires. This is intended to prevent “salary compression” or “salary inversion”: that awkward state where market salaries have gone up and new hires are earning more than experienced hands, which is simply not acceptable.

Feedback on Programmer Compensation

Here’s some feedback from my original programmer compensation article. Based on this feedback, I rewrote the policy: the new one is here.


Your level 13 and 14 seem a little odd, especially 14. Firstly, creating new programming languages doesn’t sound like a very good indicator of exceptional quality or intelligence, though I think I know what you were intending. For instance, you and I clearly know a great many very bright people. How many general purpose languages are there?

Also – the 10 years plus fits a great many people – like myself. If anything, those are the people with the CTO-like skills. Level 13, CTO-like skills with 5-10 years of experience…well, that’s partly why so many “dot coms” are “dot going away.”

Personally, I like performance-oriented compensation. And companies that are slow to hire and quick to fire stand a better chance of insuring they have credible, reliable technology staffs.

I’ll probably have some more useful comments later.

David Geller


Neat. I like the egalitarian and transparent nature of it. If I was still coding, I’d mail you a resume right now.

Of course, you’ve removed almost all individual incentives, which may or may not be ok.

Might I suggest a radical approach when it comes to the stock options? Silicon Valley craziness has made granting stock de rigeur, but it doesn’t really accomplish what it’s meant to. Usually, only founders and top management own enough stock to make them care deeply about the company’s fate and problems. With later-term employees, they own a bit to make them feel franchised, and can be incented through promises of more.

Unfortunately, it’s with the early employees that stock options tend to fail. They have too much for subsequent grants to make much of a difference, and too little for them to be committed to the same extent that management or founders are.

Also, if you mis-plot the risk curve that determines how quickly option grants scale down, there’s almost nothing that you can do to rectify the situation later (short of granting a boatload of options to the later people and destroying your stock structure forever).

I’d suggest a different approach, that doesn’t apply forever – profit sharing. You can share a very large percentage of the company’s profits when the company is young, and slowly bring the percentage down over time as the company matures. At the end of the day, it amounts to the same thing, as the discounted profit stream is the equity value of the company. However, you avoid irrational temporary market swings, and more importantly, if you make an allocation mistake, you’re only stuck with it until next year, not forever.

The situation that you’re trying to avoid is having someone mediocre but early sitting on a ton of options whereas someone who has joined much later but is doing a great job has far less stock. Best intentions aside, it happens ALL of the time, unless you’ve been a genius about keeping the risk / reward ratio sensible.

Of course, options have positive tax benefits over profit sharing, but you get my drift.

– Naval Ravikant


No – don’t hire consultants – you are definitely on the right track. The only thing that worries me a bit is the ‘years of experience’ yardstick although the fact that you are linking it to technology exposure is good. Exposure and experience do not necessarily make a better programmer but they certainly do help as long as the person has the extra abilities to be a lateral thinker and a ‘solutions’ person.

People who do/try different things could also have the edge over those who exclusively program – for instance, I reckon that my 10+ years as an analyst programmer working on different systems certainly helped me be a better dba.

Also be wary of the person who has had superficial exposure to heaps without being expert in any – they abound.

I am sure that you know where you are going with this and will succeed admirably. You should know your market and what you need to pay/offer to get the right people.

– Dale Goopy


I think your level system, the bonuses (as percentage of income), and the stock option scheme are quite solid. Your levels seem to be well thought-out: I can think of few people who would not fit either within one category or between two categories.

However: your startup package exhibits a flaw. By inflating the appearance of compensation rather than actual compensation, you draw certain types of individuals, don’t you think? Consider your case of the new college hire. She (to pick a random gender) is offered a position for $70k / year by a competitor. You counter with $60k / year, plus $15k startup. “Woo-hoo!”, she thinks, “I’m rich! $5k extra!” After two years, howver, the competing job would have grossed her $140k while yours grossed her $135k, and this delta increases by 10k / year. She is probably one of three types of people, it would seem:

  1. She can’t do elementary math.
  2. She is more interested in the short term (< 24 months) than any sort of long term.
  3. She plans to grab you for the cash and ditch you after a year.

Do you really want any of these people working for your company?

Also, your equality of salary increases the granularity of your system. This generates a stair-step: an employee knows not to expect a raise (at least one unequal to that your coworkers receive) until he or she crosses a certain threshhold. It leaves the employee in the situation of saying “I made level 13 eighteen months ago, so I probably have (on the average) three and a half years left until my next significant pay increase.” This person may foresee greener pastures, methinks.

On the whole, I think this plan has significant merits. I do think it requires some tweaks, however.

– Joshua McGee


You seem to have come up against a difficult question of fairness, particularly when taking on new hires.

I wish I knew the answer to these questions. I think you’re right on having an open and fair policy, I tend to believe that an open book is essential for fairness. I’d guess that the issue of the startup bonus incentives offered can then be influenced by the group of programmers you already have (often loosely referred to as ‘the team’ ;).

If (following your example) the potential new hire understands your system, but goes on to take the other position anyway, at least they may be tempted back after they’re in place & get over the honeymoon period. (not that you’d want to make this a habit of the hire ;).

I think one of the big things that’s missing from many organisations is that when someone accepts a position, there’s a whole plethora of lifestyle issues to be covered. Where the applicant can see that the new workplace welcomes their lifestyle, and offers a balanced merge between the lifestyle and work, then you’re bound to have them being settled in working productively sooner.

– Ray Goopy


Hello Joel, excellent site BTW! Great articles, I wish every place had your ethics.

I think the salary ranges should be based on the market and location. For instance, I live where 40k a year is a nice salary. I have been recently offered a job in San Francisco for 74k but up there that isn’t very much.

Or, are you basing the salary on your area?

Also, you mention college grad. Does that mean all your levels require some college?

As far as signing bonus, if I were going to re-locate a signing bonus is very important.

Just thought I would provide some input.

– Scott Burton


I don’t think I agree with giving everyone in a particular level the same salary. No two people have the same contribution towards a company’s success, so why should their salaries neccessarily coincide? I feel that this policy will simply frustrate the more productive members of your staff.

– Sid


Some comments:

  • I found it interesting that I didn’t fit anywhere in your chart, with 23 years of programming behind me. Some of us have spent more time teaching and mentoring than writing new computer languages. IMO, that’s a good thing.

  • You’ve left out one important part of programmer compensation, in my experience. Give every programmer a conference and training budget. Geeks want to go hang out with other geeks. Let them decide if they want to blow the budget on a Geek Cruise, attend JavaOne, or stay at home and buy a copy of every ORA book ever published.

  • I’m also a fan of a tools & toys budget. Let each geek decide themselves which is more important: a new nerf gun, a fancy trackball, or a better set of speakers? Each can be an major productivity booster for the right person.

But then, after 13 years in the corporate world, I’ve found I’m much much happier being freelance, so what do I know? <g>

– Dori Smith


six different levels, Level 9 through Level 14

I assume you got these levels from somewhere else you’ve worked.

Why not just cut through the obfuscation and make ’em 0-5 (or 1-6 if you feel bad about someone being a zero)? If you’re keeping slots open for administrative, QA, and janitorial types, why not just put ’em in another class entirely?

You’ve got interns on the list, and you’ve got team leaders, but you have no spot for a senior programmer who has no desire to lead a team. There are lone-wolves like this who simply don’t work and play well with others. Maybe you’re not interested in hiring them, but if you are, you should account for them somewhere.

You also don’t seem to have a place in your matrix for a teacher. By that I mean a mid-level to senior programmer whose strength is being able to teach others (including more senior people) skills they don’t already have. Especially if you’re planning on hiring interns at any point, you’ll need this sort of person. A good teacher may not be extremely productive in developing new code.

Another one you’ve omitted is the professional maintenance programmer. The person who comes in and can debug a complete dog’s dinner of code. The person who can see that there are three ways to fix code: 1) massive rewrite; 2) minor rewrite of a function or two; or 3) one-line change with a heavy comment about how someone might wish to rewrite the code later. There are very good reasons for each of the approaches, and knowing which to pick isn’t something everyone is good at. For that matter, some folks are much better at debugging, while others are born architects. The skill sets needed for the two positions are very different. How do you reconcile the two? If you’re being hired guns, it’s quite possible the person with better debugging skills will actually bring in more revenue to the company. I’ve seen this overlap with the teacher position more frequently than other types of programmer.

Compensation consists of:

  1. Salary
  2. Annual bonus
  3. Benefits
  4. Stock options
  5. Startup bonus

You left out time off (though you may consider it part of benefits). The reason I’m running my own business is that no company was willing to hire me on the terms I was looking for. I was looking for a job that was roughly full-time (but in fewer, longer days per week) for about 3/4 of the year. I’d have been willing to take 3/4 (or even slightly less) of full-time salary in order to have the time to enjoy things other than work. In most companies, the only way to do that is to work a year or two, and then either take a leave of absence or quit, knowing you’ll have to look for a new job when you return.

Benefits are equal for all full-time employees.

I think a better solution is to have a shopping-bag concept of benefits. Employees get a certain amount of benefits, and can apply them to different types of benefits. A single employee will spend less on health-insurance, but may want to spend more on the health-club or a tuition-reimbursement program. A married person with children will need to spend more on health insurance and day care, but may not have time for the health-club. There are a lot of variations, and one size does not fit all.

One thing I’ve been pondering is simply punting on fixed benefits and saying “You have n% of your salary to use on benefits. You can allocate it among the following: health-insurance, dental insurance, 401K, ESPP, vacation time, discounted hardware purchases, tuition reimbursement, valet service, tax preparation, etc…” That can be tricky tax-wise, but it’s even trickier for the employee to figure some of that stuff out. Spend a few extra $$ to have the corporate accountant figure out how to make it work, and save the employees the hassle.

Stock Options….

Feh! on stock options. They interest me little if at all. If the company is publicly traded, a good ESPP is more interesting. If the company is not publicly traded, stock options are worthless scraps of paper, and may actually cost me money in taxes for a net-negative. Of course the company may go public and do well, but it also may fold before reaching IPO.

And if we’re having trouble hiring because of low salaries, we’ll raise the salaries for everyone, even the people we’ve already hired.

One way of looking at salaries is asking yourself: “What would I have to pay to contract this programmer back six months from now after she leaves because we don’t pay her enough now?”

The answer to that question can be pretty illuminating. One company I quit was simply unwilling to pay to contract me back after I left, even though they’ve had two problems I could have walked in and fixed rapidly. Instead, they wanted the security of having someone on-staff who had spent the time to figure it out. Good for them.

Another company that wouldn’t meet my desired salary has since contracted me for almost six months worth of that salary for two months work. I suspect they’re regretting their decision, but they do have more flexibility now.

as a company, we are very concerned with equity and fairness in salaries. We think it will be extremely valuable to maintain salaries, bonuses, and benefits for programmers at equal levels rather than negotiating individually with everyone and then having people upset that they are not getting a “fair” salary

I think if you truly want to be equitable, you’re going to find out that there will be enough special cases, that your pay-parity will quickly evaporate. I’ve mentioned a few, but there are more that I’m sure I haven’t thought of. Being fair is a good ideal, but because of the special cases, equal pay is unlikely to be fair.

– Dave Polaschek


In the company I work for, we do negotiate salaries, which I agree with you it is wrong. But I have one problem in your scheme. Let’s say you have 2 developers 1 year experience, same exact level, but one is amazingly smart and fast, the other one is slow, fast and slow means time to finish a certain task in a certain amount of time without major bugs, etc.. etc…, how can you differentiate between those, in this scheme you can’t because they will take the same salary and the same bonuses, I see that the motivation to excel is not there… I agree with the same salary scheme for the level, and the startup bonus, but the drive for each person to excel is important too. This might be achieved by an indvidiual bonus or other ideas… What do you think ?

– Ahmed Badr

Editor’s note: I don’t really believe in individual bonuses or performance incentives, because I’ve heard a lot of research that says they don’t work:

Incentive Pay Considered Harmful

But, to answer your question more specifically, if I really had one programmer who was simply much more productive than usual and wrote code much faster, we would probably just bump them up a level even though they don’t meet the other criteria. I don’t want the criteria to be hard-and-fast, just general guidelines. – Joel


I think that you’re totally on the right track, and identifying your levels as mere guidelines is key. I would give the levels names, fun or serious. Numbers make me think of government pay scales, and leave less flexibility to change them later (unless you like decimals or re-classifying everyone).

I do have to disagree with using large startup bonuses to bridge an offer gap. It creates a mercenary ethic from the start. If a salary of X doesn’t make me happy now, as an “unknown risk” to your team, I’m going to be less happy with it down the road once my value to the team has been well-established. I would cap the total startup bonus at $10k and extol the value of the benefits package. Vacation time to me is worth at least twice it’s straight salary value, and it’s a benefit that most American companies (esp. tech!) are stingy and inflexible with.

(I’m working with a guy who wasn’t able to use all of his vacation time last year, a serious no-no in Germany, so he’s wound up with 8 weeks for this year. Being on our American payroll, I have serious vacation envy! Not enough for me to switch payrolls, but you can be sure that it will be the only compensation matter discussed at my next review 😉

– Bryce


Look at Steve McConnell’s stuff at construx.com. He has various programmer levels etc. etc. Looks like it’s similar to what you’ve already shown, so maybe you’ve already been there. We’re a pretty small shop with 25 or so programmers and recently went to a three-level basic structure: engineer, Sr. Engineer, Principal Eng. Early feedback is that’s not enough granularity. We have a pretty wide range of skills in each level. Probably go to more like you’re thinking in next go round.

– Chris Markle

Editor’s note: Construx’s stuff is exactly what I was trying to reconstruct. Steve got the idea and copied the ladder from Microsoft, and I did do, but I was trying to reconstruct it from memory! – Joel


I like the idea of having levels and paying everyone according to their level. Publishing uses this system for the first two levels (editorial assistant and assistant editor) and it creates a lot of camaraderie since everyone is getting paid the same. Once you’re an editor, though, your salary is based on your years of experience and the P&L’s of your books. You may want to consider using the level system for your more junior employees but having more freedom to distinguish between the senior ones.

You don’t mention it specifically, but I’m assuming that it will be public knowledge what everyone’s level is and how to progress to the next one. This is a key factor. I like the consenus approach about setting levels, so long as the employee gets a chance to present their side of it.

What about annual raises? I think everyone expects some sort of annual raise even if you can still hire new programmers at the same wage level as the old ones. And honestly, someone who’s worked for you for a year is worth some degree more than someone with equal skills who doesn’t know anything about your company or your software.

Jill McFarlane


On today’s topic of compensation, I really like the idea of open and fair salary guidelines. I’ve never truely understood why salary is such a taboo topic when we’ll tell everyone how much we paid for a car or house.

Perhaps it is a bit of utopian, but one would hope that if an employer adopts an open and fair salary policy, they would fully grasp being fair and open and a corporate policy.

– David Benson


How about individual bonuses awarded directly by the employees? I can imagine a bonus plan wherein every employee is given 5% of their own salary to award to other employees. Does incentive compensation of this sort also have the same problem as other incentive compensation?

– Kevin Postlewaite


I’d like to advise you to go ahead with your compensation ideas based on my experience with companies that have done things that way. Sadly, I can’t. Every company I’ve been in has kept these things secret. Instead I urge you to do it simply because I’d like to work at a company with those policies.

I work for Dictaphone (private), which was recently bought by Lernhout & Hauspie (public), so we’re getting stock options soon, but it’s supposed to be a big secret how the amounts are awarded. We got mail with our share amounts saying do not discuss this with coworkers! What’s up with that? Amazingly, many members of my team went along with it! Fortunately a few of us did an “I’ll show you mine if you show me yours” session, and we were able to figure out that it’s simply based on salary grade. Big deal. Why not just publish that? Secrets do more harm than good.

I suppose that there will always be resentments and perceived injustices with compensation policies. You have to accept that. But keeping it open and telling everybody up front that it’s open will, I believe, keep it from interfering with the work.

– John Sands


Earlier this year I was handed a tremendous challenge – to pull together a disorganized department and then design, implement, QA and ship a terrifically complex system with a do or die release date … of three months later. I can tell you all about it some time because it worked and I learnt an enormous amount about development, management and design but what I wanted to mention here are two things the CEO did that were strong factors in the success of the project – both rather irregular.

#1 – Personal pressure and help: At the time, there were two levels of management in between myself and the CEO. Both were dysfunctional. The CEO cared more about the project than about “dis”ing the two middle managers and set up a weekly status meeting between himself and me to go over the status of the project and do risk assessment. No one wants to disappoint his/her CEO, thus, boy was I on top of the project. Also, if I was having trouble with resource issues he could cut through any red tape and make things happen for me.

#2 (relevant to the bonus question) – at the first status meeting he gave me a massive bonus (options that are currently worth about $150,000) and said that he likes to give bonuses BEFORE the success – he finds it’s much more concrete motivation. Now this is a bit of a dirty trick but it sure does work. I plan to try it with my team next real crunch.

I really like your approach to salaries, though you need to have a certain amount of flexibility with the ranking. One of the biggest sources of tension we have in the department is due to people think other people are getting paid more than them. One of the biggest headaches we have when hiring is dealing with people who are good but would throw our salary scale of kilter. Your suggestion solves both very elegantly. The one question I have is what do you do with salary reviews? Over here, people expect a 10-20% raise every year (in addition to any raise due from a “rank” promotion). Would you only give people a raise if the raise in rank? Or maybe instead of a salary raise have an individual bonus at the time of the salary review that would do the same as the start up bonus?

– Anonymous

How do You Compensate Programmers?

Editor’s note: This article originally appeared August 28th, 2000. Based on a tremendous amount of great feedback received from my readers, I’ve completely rewritten the policy. This article appears as a matter of historical record only.


How do you compensate programmers?

I’m designing the compensation package for programmers at Fog Creek Software, and I could use your advice!

Here’s the tentative plan. I’d love to hear your feedback and discussion on any and all aspects of it.

Fog Creek Software hires programmers at six different levels, Level 9 through Level 14, which roughly corresponds to their level of experience, seniority, and initiative. Programmers are assigned a level when they are hired, and may move up or down in level at any point in time.

Levels are set approximately as follows. These are merely guidelines; the real way they are set is by comparing groups of people at various levels and then adjusting based on a consensus of how good they are.

Level

Years of experience

Technology exposure

Initiative and architectural skills

9

0

Two programming classes and incredible aptitude

Can develop code with significant mentoring and review. Intended mainly for summer interns and high school kids.

10

Recent grad – 1 year

Coding for one OS like Unix, two or three programming languages, no API experience

Can execute on a plan or write code that someone else specified, requires some mentoring

11

1 years – 3 years

2 platforms (e.g. WinAPI and Unix); RDBMS; two or three other programming platforms (like ASP, JSP, PHP, perl, etc)

Can work independently on a feature and can suggest improvements and shortcuts

12

3 – 5 years

Enough different technologies to be able to make excellent choices of architecture

Can design and architect a feature independently; given an interesting problem to work on, can architect, lead, and build the whole thing; can mentor less experienced developers

13

5 – 10 years

All the above, plus, knows enough about other disciplines to be able to lead specialists in those areas (e.g. networking, wireless, hardware, datacenter, telecom, etc)

Can conceive, design, architect, and lead a team to implement an entire product or company. CTO-like skills.

14

10 years plus

Significant experience inventing and architecting new technologies which are widely used throughout the industry

A “Fog Creek Fellow”: Invents whole new programming languages like C++; extensively known through books and articles.

This level is reserved for hiring people like Bjarne Stroustrup or Linus Torvalds, or promoting geniuses to an independent research position.

  Compensation consists of:

  1. Salary

  2. Annual bonus

  3. Benefits

  4. Stock options

  5. Startup bonus

Salary is intended to be very egalitarian, fair, and transparent. Fog Creek will have a simple schedule of salaries (set competitively) based on level. For reasons of fairness, there will be no variations on these salaries from person to person. Everybody knows what the guidelines are for levels; everybody knows what level they are at; and everybody knows what the salary is for their level.

Annual bonus is also intended to be equitable. Each year, Fog Creek management will determine what total dollar amount should be awarded in bonuses. This amount will be prorated according to salaries and percentage of the year that they worked, so every employee will receive a bonus amounting to an equal percentage of their salary: if I get a 11% bonus, everybody gets an 11% bonus. It is our explicit philosophy that bonuses are rewarded based on the performance of the entire company, not the individual. (Also, there is no penalty for quitting the company before bonuses are paid: if you do this, you’ll still get your prorated bonus for the part of the year that you worked. This policy is to prevent getting a wave of people quitting every January and screwing up our lives).

Benefits are equal for all full-time employees. (We may end up with categories like intern and temp with more limited benefits). Some employees may get more “value” out of their benefits than others (e.g., if they use the health clubs).

Stock Options are weighted heavily to compensate the people who take the most risk, namely, the people who join Fog Creek when it’s just a wee tiny company. As the company grows, the initial package of stock options offered to new hires will be lower and lower. At any given time, stock option awards are equal based on level.

Since the basic compensation is set in stone, for the purpose of fairness and equity, the only tool we have to lure people who have great offers elsewhere is with a Startup bonus. This can vary wildly from new hire to new hire. It is mainly intended to compensate for cases where the normal benefits package does not appear to be competitive to a candidate who, for example, has an offer from another firm that is disproportional to their actual “market” value. As a typical example, suppose we’re currently paying level 10s (new college hires) $60,000 a year + $5,000 startup bonus, and we think that’s about fair. If we are having trouble luring a particular hire that we really want, because he or she has an offer from another company for $70,000, we’ll just add $10,000 to the startup bonus and keep the salary at $60,000.

To summarize: as a company, we are very concerned with equity and fairness in salaries. We think it will be extremely valuable to maintain salaries, bonuses, and benefits for programmers at equal levels rather than negotiating individually with everyone and then having people upset that they are not getting a “fair” salary. So, at the point of trying to hire someone, if they simply wouldn’t be happy with what the rest of the team is getting, we’ll dazzle them with a startup bonus but set their actual salary where everyone else’s is set. And if we’re having trouble hiring because of low salaries, we’ll raise the salaries for everyone, even the people we’ve already hired.

So, what do you think? Am I crazy? Is this naïve? Should I hire “compensation consultants” to charge me more than I bill annually just to set salaries? Let me know!


Read some responses

Three Wrong Ideas From Computer Science

Not to rain on everybody’s parade, but there are three important ideas from computer science which are, frankly, wrong, and people are starting to notice. Ignore them at your peril.

I’m sure there are more, but these are the three biggies that have been driving me to distraction:

  1. The difficult part about searching is finding enough results,
  2. Anti-aliased text looks better, and
  3. Network software should make resources on the network behave just like local resources.

Well, all I can say is,

  1. Wrong,
  2. Wrong,
  3. WRONG!

Let us take a quick tour.

Searching

Most of the academic work on searching is positively obsessed with problems like “what happens if you search for ‘car’, and the document you want says ‘automobile'”.

Indeed there is an awful lot of academic research into concepts like stemming, in which the word you searched for is de-conjugated, so that searching for “searching” also finds documents containing the word “searched” or “sought”.

So when the big Internet search engines like Altavista first came out, they bragged about how they found zillions of results. An Altavista search for Joel on Software yields 1,033,555 pages. This is, of course, useless. The known Internet contains maybe a billion pages. By reducing the search from one billion to one million pages, Altavista has done absolutely nothing for me.

The real problem in searching is how to sort the results. In defense of the computer scientists, this is something nobody even noticed until they starting indexing gigantic corpora the size of the Internet.

But somebody noticed. Larry Page and Sergey Brin over at Google realized that ranking the pages in the right order was more important than grabbing every possible page. Their PageRank algorithm is a great way to sort the zillions of results so that the one you want is probably in the top ten. Indeed, search for Joel on Software on Google and you’ll see that it comes up first. On Altavista, it’s not even on the first five pages, after which I gave up looking for it.

Anti-aliased text

Antialiasing was invented way back in 1972 at the Architecture Machine Group of MIT, which was later incorporated into the famous Media Lab. The idea is that if you have a color display that is low resolution, you might as well use shades of grey to create the “illusion” of resolution. Here’s how that looks:

picture-antialias:

Notice that the normal text on the left is nice and sharp, while the antialiased text on the right appears to be blurred on the edges. If you squint or step back a little bit, the normal text has weird “steps” due to the limited resolution of a computer display. But the anti-aliased text looks smoother and more pleasant.

So this is why everybody got excited about anti-aliasing. It’s everywhere, now. Microsoft Windows even includes a checkbox to turn it on for all text in the system.

The problem? If you try to read a paragraph of antialiased text, it just looks blurry. There’s nothing I can do about it, it’s the truth. Compare these two paragraphs:

picture-antialias2:

The paragraph on the left is not antialiased; the one on the right was antialiased using Corel PHOTO-PAINT. Frankly, antialiased text just looks bad.

Somebody finally noticed this: the Microsoft Typography group. They created several excellent fonts like Georgia and Verdana which are “designed for easy screen readability.” Basically, instead of creating a high-resolution font and then trying to hammer it into the pixel grid, they finally accepted the pixel grid as a “given” and designed a font that fits neatly into it. Somebody didn’t notice this: the Microsoft Reader group, which is using a form of antialiasing they call “ClearType” designed for color LCD screens, which, I’m sorry, still looks blurry, even on a color LCD screen.

(Before I get lots of irate responses for the graphics professionals among my readers, I should mention that anti-aliasing is still a great technique for two things: headlines and logos, where the overall appearance is more important than the sustained readability; and pictures. Antialiasing is a great way to scale photographic images to smaller sizes.)

Network Transparency

Ever since the first networks, the “holy grail” of networking computing has been to provide a programming interface in which you can access remote resources the same way as you access local resources. The network becomes “transparent”.

One example of network transparency is the famous RPC (remote procedure call), a system designed so that you can call procedures (subroutines) running on another computer on the network exactly as if they were running on the local computer. An awful lot of energy went into this. Another example, built on top of RPC, is Microsoft’s Distributed COM (DCOM), in which you can access objects running on another computer as if they were on the current computer.

Sounds logical, right?

Wrong.

There are three very major differences between accessing resources on another machine and accessing resources on the local machine:

  1. Availability,
  2. Latency, and
  3. Reliability.

When you access another machine, there’s a good chance that machine will not be available, or the network won’t be available. And the speed of the network means that it’s likely that the request will take a while: you might be running over a modem at 28.8kbps. Or the other machine might crash, or the network connection might go away while you are talking to the other machine (when the cat trips over the phone cord).

Any reliable software that uses the network absolutely must take this into account. Using programming interfaces that hide all this stuff from you is a great way to make a lousy software program.

A quick example: suppose I’ve got some software that needs to copy a file from one computer to another. On the Windows platform, the old “transparent” way to do this is to call the usual CopyFile method, using UNC names for the files such as \\SERVER\SHARE\Filename.

If all is well with the network, this works nicely. But if the file is a megabyte long, and the network is being accessed over a modem, all kinds of things go wrong. The entire application freezes while a megabyte file is transferred. There is no way to make a progress indicator, because when CopyFile was invented, it was assumed that it would always be “fast”. There is no way to resume the transfer if the phone connection is lost.

Realistically, if you want to transfer a file over a network, it’s better to use an API like FtpOpenFile and its related functions. No, it’s not the same as copying a file locally, and it’s harder to use, but this function was built with the knowledge that network programming is different than local programming, and it provides hooks to make a progress indicator, to fail gracefully if the network is unavailable or becomes unavailable, and to operate asynchronously.

Conclusion: the next time someone tries to sell you a programming product that lets you access network resources the same was as you access local resources, run full speed in the opposite direction.

Wordsworth Responds

In Strategy Letter I, I wrote:

If you’re going into a market with no existing competition, lock-in, and network effects, you better use the Amazon model, or you’re going the way of Wordsworth.com, which started two years before Amazon, and nobody’s ever heard of them.

I was happy to hear back from Sanj Kharbanda over at Wordsworth, who wrote:

Thanks for noticing us!

… A customer of ours pointed [Strategy Letter I] out and after the appropriate period in which I agonized over your comment I thought I might write back.

I have no qualms with what you say, though I must add that folks have heard of us (not to the extent they have heard of Aaaamaazon, but there are folks out there who know us—largely because of our reputation in the physical world). Our website does fairly well, in spite of us. We have put very little in terms of monetary resources in it and we are every marketer’s nightmare.

Are there days where we don’t kick ourselves? I’d be lying if I said no. Did we envision that the web would be this big for books? We knew it would be very big, we did not think it was going to be this HUGE.

Our error, we had the vision we just did not execute. (spilt milk—sour grapes etc). The only reason I can come up with it the same reason Wordsworth books has never tried to “chain” itself…we are an independent store that tries to keep the “community store” ethic and we were afraid we would loose that.

My rather extensive reply to Sanj… more of a rant about independent booksellers in general:

I love the concept of independent bookstores, but in many cases I think that they are just not “doing what it takes” to be competitive — online or in the stores. I suspect that is because the types of people who love books enough to be indie booksellers are not necessarily the best businesspeople.

Here’s an example I can think of… a famous bookstore here on the Upper West Side, Shakespeare and Co., closed down when a Buns and Noodle’s SuperDuperStore opened up practically next door.

I liked Shakespeare and Co., but, you know what? They just weren’t doing what it takes to be competitive. They didn’t have places to sit down. They made you check your bags. They didn’t have a cafe. Their selection was much smaller than B&N — for example, I wanted a book about bicycle touring — B&N had a whole shelf of bicycle books; Shakespeare had one book.

Indies “claim to fame” is that they have more knowledgable staff and they do better selection of interesting books. Sometimes true, but not in the case of Shakespeare and Co., who were hiring the same local entry level workers that B&N did.

At the time, Shakespeare had limited floor space to expand their inventory — but a giant store that would have been perfect for a large bookstore was vacant, right across the street. My guess is that Shakespeare was undercapitalized and couldn’t afford to compete on the same basis as B&N. They hung on for a while but eventually closed down. I would miss them, if I could think of a single thing they offered that B&N didn’t.

In the online world, the same thing seems to be happening between Wordsworth and Amazon. Doc Searls changes his bookstore from Amazon to Wordsworth and sees his revenue plummet to $0. (Jacob Nielsen explains why). I myself am an Amazon affiliate; it’s earning me about $100 a month which just about covers the cost of all the books I buy at Amazon 🙂 [By the way… you guys should be thankful for Nielsen’s free UI advice; normally people pay about $30,000 for this kind of advice!]

Anyway, no matter how much I love independent bookstores, they just weren’t getting the books to the people. In many smaller cities across America, the Borders and B&N megastores represent the first time there’s been a decent selection of books available. I love the fact that B&N means that worried gay teenagers can read XY magazine, even if they live in Kansas City. I love the fact that B&N means that 2600 magazine is available nationwide. I love the fact that I can buy an XML reference manual 11:30 PM in my neighborhood… before B&N, even in New York City, you had to go to McGraw Hill in midtown for good computer books, and they closed at 5 PM promptly.

Anyway, that’s my bookstore rant 🙂 It’s great to hear from you, and I suspect a lot more people will hear of Wordsworth if Amazon runs out of money as quickly as some analysts think they will!

Free Desktop Pictures!

Joel on Software presents… free desktop pictures!

Stuck behind a desk? Brighten your monitor a bit with these high resolution digital pictures I took this summer in East Hampton.

    Choose a picture:
How big is your monitor?
640 x 480
800 x 600
1024 x 768
1280 x 1024

The Wireless Web: Spacesuits Needed

I try, I really do. I held off buying a cellular phone for years. I still don’t have a Palm Pilot. I managed to put off buying a stereo for long enough that my PC became a stereo. But sometimes my alternate personality takes over — the early-adopter, gadget-loving personality, and uses my wallet to buy some unnecessary toy, play with it for two weeks, and then bury it in the closet where it belongs.

This time, alter-Joel used my money to sign me up for the latest exciting service: “Wireless Web”, a.k.a. WAP service, from Verizon Wireless (mongrel spawn of BellAtlantic, GTE, and AirTouch) . This is the “service” that lets you “surf” the “web” on your cellphone. Hmmm.

I had just gotten this phone a couple of months ago, so, like most new cellphones, it already had the microbrowser capability built-in. To get access to Wireless Web, all I had to do was call Verizon and sign up. They charged me $10 a month, plus airtime. More on the cost later.

The ordering process offered a brief insight into how thoroughly mismanaged big telecom companies like Verizon can be. It was a four step process, which will be familiar to anyone who has tried to order any service from any telecom recently:

  1. Try to order the service several times. Discover that the voicemail option to order the service just hangs up on you if you call after normal business hours.
  2. Order the service during normal business hours. Promised it will work within 24 hours.
  3. 2 days later, call back. Fight with telephone menu hell.
  4. They say, “whoops!” and activate the service instantly.

Whenever you order something and they say that the service will start “within x days”, you can tell that you discovered a business that has a turd-drop process in place. That’s a technical term. You see, the people taking orders for the service aren’t really equipped to turn it on. They just generate a list and drop it, like a turd, in a file somewhere. Once in a while someone else who really knows how to turn on the service comes along and picks up all the turds that have accumulated. Any shell script programmer will recognize this pattern: you have one program running that occasionally needs to get something done, and it does it by dropping a file in a pre-agreed place. Another program is constantly looking in that place, and when it shows up, it does its work. It’s an ugly hack and no programmer would consider this to be good programming style, because so many things can go wrong.

The thing of it was, the person who took my order couldn’t turn on the service, but of course, when I called to complain, they were able to turn the service on right away. So why didn’t they just do that in the first place? Incompetence in business process engineering, I guess. It seems like a costly waste of money to me.

But I’m getting off the point. The service did, eventually, go on, so when I clicked “Launch Browser” on my phone, after about 5 seconds, I got the exciting main menu:

You can probably tell that typing on this thing is a bit of a pain. Here’s how it works: to type a given letter, you press the key it’s on once, twice, three times, or four times. “2” is A, but “22” is B. So, to type out “Vampire”, you would press 8882674477733, then you’d realize that you typed “Vamphre” by mistake, then you’d play with the arrow keys to try to edit it. While you are typing, there’s a button which toggles between CAPS, lower case, numbers, and punctuation modes. The “1” key can be used for space, dot, @, comma, and other punctuation, with the most common punctuation conveniently arranged first.

Apparently teenagers in Finland have gotten really good at all this. I find that even typing a one sentence email is a bit of an exercise. Better to make a voice call (and risk actually having to speak to a human!)

The screen on my Motorola Startac has room for four lines. The top line is often used for a title, and the bottom line is almost always used to describe the “softkeys”: the two buttons that can do different things depending on the current mode. Reading email is not very fun with four lines, especially since one is used for the softkeys. You get about 7 words on the screen at once. Joy.

Although it’s called the “Wireless Web”, it’s not really the web. Because of the tiny screens, regular web sites would be unusable on this service. Instead, web designers are being asked to create separate wireless web sites using a language called WML, which is a lot like HTML, the lingua-franca of web pages. There’s been a bit of complaining about WML (“why isn’t it just HTML?”) but the truth is, the way these tiny screens work, it makes a lot of sense to have a language that is optimized for tiny screens and tiny amounts of bandwidth. Although many web sites are carping about the cost of developing two versions of their service, existing HTML pages just would not work on a four line screen. If you’re not willing to work hard to squeeze your content into this space, you might as well just not be on the wireless web. Sites like PayPal, Google, and Amazon have completely reengineered their offerings in WML. For example, Amazon has apparently decided that asking you to sign up for an account on tiny keyboards is just too silly, so you can only order books if you already have an existing Amazon account that you created on the web.

You may have heard a lot of whining about the WAP protocol, which has been criticized extensively for being proprietary, stupid, and a complete attempt to reinvent TCP/IP without the benefit of, well, TCP/IP. Although the criticism is true, the truth is, the WAP protocol itself just doesn’t matter to web site developers, because there’s a gateway that translates the WAP requests into HTTP requests. As far as the web site developer is concerned, you just write your site using WML instead of HTML, and serve it up using a regular web server like Apache.

What Web Sites Can I Get?

This is the number one question that the cellular service providers don’t want you to know the answer to. The answer is a bit tricky so pay close attention.

Some providers are providing an emasculated version of the wireless web that only allows you to get to a few “featured” sites, basically, sites that have paid for the honor of being on that service. This is the approach taken by AT&T Wireless, among others. These providers do not allow you to enter a URL for any site. It reminds me of the bad old days of AOL, when there were about 100 neat services available on AOL, but that was it. If somebody wanted to publish information for AOL, they had to make a pilgrimage to Virginia and sign a deal. But then the Internet came along, and anybody could be a publisher, and now there are a billion sites out there, and every online service had to get with the program and let people see web sites, or they would be out of business faster than you can say “Dinosaur”. The unbelievable stupidity of the cellular providers that haven’t learned this lesson and are trying to create their own private micro-sub-set of the wireless web is outrageous. Do not use their service unless you’re the kind of person who would consider buying Internet access that only let you go to a dozen web sites.

Other cellphone companies, including Verizon, let you access any WML site. There’s a way to type a URL and then make a bookmark, which is handy. I’ve made bookmarks for Google, Amazon, PayPal, and Visto (which I use to check my regular email). On my phone, there’s only room for 10 bookmarks, and you get to them by holding down one of the number keys. For example, if I hold down the 3 key for a few seconds, it will go to Visto.

There are only a handful of WML sites live today, although silicon valley herd-mentality venture capitalists are so gaga about wireless everything, I’ll betcha there will be a whole new generation of overcapitalized wireless sites soon. In the meantime, you can’t really go to HTML sites over cellphones. Google is offering a service that translates any HTML site for you into WML, which, theoretically, lets you visit HTML sites, too. But the trouble is that the screen is very tiny, pages are limited to about 1500 bytes, and pictures and tables don’t show up, so many sites are completely useless when you read them through Google’s translation service.

Can you do anything useful?

Ah, that’s more tricky. Here are some of the useful things I’ve found that I can do:

  • I used the online white and yellow pages once to find a nearby Barnes & Nobles. Of course, I could have just called Information.
  • I’ve checked my email at the beach. Really. It’s kind of embarrassing (“dammit, man, you’re on vacation“), but it’s sort of fun to see all my Joel on Software fan mail flooding in. I’m using Visto.com to check email, because they have a decent WAP site and they can check your regular POP3 mailbox for you. (There’s built-in email on the phone, but nobody sends email to that address, which is why I use Visto, which I recommend). I’ve only SENT email once from this thing, but it’s just too much of a pain, and it’s easier to call.
  • Reading the New York Times Book Review at the beach, I ordered three books from Amazon, using a pre-existing account, in a couple of minutes.

If you actually find anything else useful or entertaining you can do with this wireless web stuff, that’s actually better than just making a phone call, email me, OK?

Is it worth it?

Ah, and herein lies the rub. Are you sitting down?

Yep, that’s right, my phone bill was $284 for the first month of playing around with this service, and I didn’t even play with it that much. I tried to analyze the bill to figure out why it was so much. I had used 147 “minutes” of data time during the month. Actually, I probably didn’t use close to that much, but cellular providers love to round up to the nearest minute.  And the crappy cellular system tends to knock you offline a lot. When this happens, the phone says “Connecting” for about 5 seconds and then reconnects you. But it means that you often end up paying for the same minute twice:

I had a bunch of free minutes with my calling plan, but I was over the limit, so many of these minutes were 35 cents each. After this bill, I think I’m going to limit my use to real emergencies like ordering cookbooks. I just can’t afford to explore any more.

A couple of cellular providers have been advertising “free wireless web.” This is pretty dishonest. What they mean is usually that they’ll waive the signup charge, or even waive the monthly fee. But considering that they charge for airtime, and they round up the minutes gleefully, the airtime can be pretty damn expensive. If you sign up for wireless web, make sure that you have enough free minutes on your calling plan.

So, will wireless web take off?

In 1992, I was in the library at the University of Washington. They had set up a terminal connected to a new service called Gopher, which was, in many ways, the precursor to the web. It was very exciting. You could go to gopher sites for lots of universities all over the world. Some of them even had their course listings online! I remembered thinking about all the possibilities. When I saw Mosaic for the first time, there wasn’t much you could do or see, but I realized that it was only a matter of time before this thing exploded.

Looking at wireless web today, I get that same gut feeling as I did when I looked at the web, way back when: it looks like a ghost town, without very many useful things yet. You can make all kinds of claims about its weakness (it’s slow, expensive, tiny, and has no sites…), but then again, all those claims were true in the early days of the web, too, and look where we are today. Every VC on the planet has heard the story of Jim Clark discovering Mosaic a million times. Every VC and Silicon Valley entrepreneur has been searching for “The Next Internet” for so long that as soon as something comes along that sounds like it might be The Next Big Thing, they jump in.

Will history repeat itself? Maybe, maybe not. The web was truly a revolution in the way that the printing press was a revolution, but wireless web seems to be just an incremental step, not a revolution. In any case, you can debate all night about whether there will ever be truly useful wireless web services, but I’m starting to think that the high price charged by the cellular providers is going to choke off the oxygen to this fledgling service before it can get started.

Remember that when the web started, most Internet access was unmetered: you paid a low monthly fee no matter how long you used the service. But as the wireless web gets started, the fees are outrageous, and the early adopters are going to get reamed by their first phone bill. If you think you can make a profit in a wireless world in which the telcos are sucking out all the oxygen, well, you had better bring a spacesuit.


Further reading:

Passport Responses

My article Does Issuing Passports Make Microsoft a Country? seem to have hit a nerve. Here are some quotes from the responses I received. I can’t resist mentioning one fact: out of the dozens of emails I received, only one supported Passport, and that was from a Microsoft employee. Which just goes to show how powerful the Microsoft Reality Distortion Field gets in Redmond.

Microsoft controls PassPort and.. they control Frontpage, arguably the most popular web management software. How much time before they put “Passport extensions” into Frontpage that will make your and my website part of the PassPort network? It’s not just Microsoft sites, they’ll know all about you if you visit competitors, mom-n-pop shops, porn sites, etc etc.

— Jacob Levy

That’s scary stuff. Enough so, that I’ve added an entry to my local DNS server which says *.passport.com is a CNAME for 127.0.0.1. Interestingly enough, most MS sites quit working, but I’m pretty sure I’m off their radar now.

— Dave Polaschek, Polaschek Computing

What Microsoft is doing is what every ad banner network has been doing for ages: spying on you. Ever since the cookie was integrated into most browsers, there has been zero privacy on the net, ethical or not.

— Nick Bauman, WebHelp.com

Following on from your M$ Passport article, I have not seen anybody talking/writing about the fact that the M$ cookie-cutter “initiative” that has got DoubleClick and others so riled, is just another stick to lever business onto Passport, because it will be one of the few ways to achieve what cookies do (and worse obviously) without them.

— Robin Benson

The new MSN 6 beta browser (downloadable from msn.com as “MSN review 1”) does in fact eliminate this step. To use the browser you have to enter your Hotmail ID and password. Then you are treated to a flashing white bar and a message that says “signing in…”. After that, access to MSN, Hotmail etc is seamless… no signing in or out.

— Prasenjeet Dutta

Do you think the alternative: typing all of your information every time you log into a site and having so many passwords to remember is acceptable?

Do you use multiple credit cards so that no one credit card company knows your purchase habits?

Wouldn’t you prefer targeted ads (e.g. houses for sale in Jerusalem) to the random ones—given that you’re seeing ads anyway?

Single identity is the #1 feature of AOL and Amazon (why else would you pay more for toys from Amazon?)

It’s silly to suggest the theoretical concern that one day the system will try to charge you more if you have money—(a) first of all, that’s true today anyway (if you buy an item from a high-end retailer targeted at wealthier folks you will pay more than if you bought the same thing at Target), but (b) the web makes it so easy to compare prices that Expedia couldn’t get away with your scenario. And, passport requires a log-in, so it’s easier to hide your Bankruptcy book purchase from passport than it is to the credit card companies.

Someone has to solve this problem. If you think you know a better way, then that would be a much more interesting article…

— An [anonymous] 10 year Microsoft veteran

Does Issuing Passports Make Microsoft a Country?

Am I the only one who is terrified about Microsoft Passport? It seems to me like a fairly blatant attempt to build the world’s largest, richest consumer database, and then make fabulous profits mining it. It’s a terrifying threat to everyone’s personal privacy and it will make today’s “cookies” seem positively tame by comparison. The scariest thing is that Microsoft is advertising Passport as if it were a benefit to consumers, and people seem to be falling for it! By the time you’ve read this article, I can guarantee that I’ll scare you into turning off your Hotmail account and staying away from MSN web sites.

This article has two parts. First, I’ll present a brief technical overview of how Passport works and why it eliminates the last line of defense protecting your privacy. Second, I’ll talk about how Microsoft plans to develop Passport to create a massive consumer information database and link all your private information together, and how they plan to profit fantastically from it.

But before I get started, let me say that I’m not just writing this to bash Microsoft. That’s not my goal here. Microsoft is a large, diverse company with many smart people and many ethical people; they have many great products and some pathetic products, too. I spent 3 years working at Microsoft, many of my friends are still there, and I’m a Microsoft shareholder. I’m writing this article because I think the Microsoft Passport story is fascinating from a privacy perspective and from a business strategy perspective, and because nobody else seems to be covering it.

1. How Passport Works

In the olden days of interactive computing, you got an account on one computer which was all you ever used. You had one username and one password to remember. The web has changed things dramatically: because it is so easy to visit lots of web sites, you may have accounts with dozens of companies on dozens of different computers. I have 81 at last count. Most people have no hope of remembering 81 different account names and passwords, so they tend to just use the same password on every site, or they keep a long list of passwords written down somewhere. It’s a bit of a nuisance. If you regularly shop online, you’re probably getting sick of typing in your home address, credit card information, and remembering the user name and password for all those sites. It’s extremely common for people to abandon their shopping carts on the web when they see the long form they have to fill out to make an account and purchase their products.

This is the kind of problem that Passport is promising to solve. To understand how it works, I’d like to take a few minutes to talk about some web security and privacy technology and how Passport subverts it.

How Cookies Work

There’s a lot of wrong information about cookies out there. All a cookie does is tell a web site operator when somebody comes back to their site that has been there before. It doesn’t give the web site operator any information about that person’s identity; it just says “Hey, that visitor who was here last Tuesday at 4:15 PM? That person is back again.”

Technically, the way it works is that when you go to the web site for the first time, the web server makes up an ID for you, for example, if I go to www.eCrap.com, it might make up the number 76JU589SU for me, which is completely meaningless. The web server sends this meaningless ID number to my web browser, which stores it.

Now, the next time I go to eCrap.com, my web browser will tell the web server: “Yo, in case you care, this is 76JU589SU coming back again. Thought you might want to know.”

That’s all there is to it. Now, since eCrap is smart, they opened a file on me, marked 76JU589SU. In that file, they could keep any information I give them. If I buy something from eCrap and give them my address, they could store my address in their 76JU589SU file. And my credit card. And a list of the things I bought. Next time I wanted to buy something, since they already knew who I am, they can offer to let me purchase it without typing in an address or credit card number, because they can just look that up in their file.

Theoretically, the only information eCrap can put in their file is the information that I give them. Amazon’s files probably contain information about what books I bought, my address, credit card information, and maybe some information about what books I looked at but didn’t buy… any information that they can gather from my activity on their web site. Amazon does not know how old I am or what color my hair is, since I never told them that information. They don’t know that my favorite cafe is The Big Cup in New York City, because I never gave them that information, either. But they do know that I bought the book 101 Cute Puppies from them. One day, if 101 More Cute Puppies comes out, they are probably going to search their files for people who bought 101 Cute Puppies and tell us about the sequel the next time we log on.

How Cookies Protect Your Privacy

Now, suppose I decide to open a credit card account online. Of course, the credit card company would probably love to know that I just bought “Bankruptcy for Dummies” and “How to Stiff Everyone And Move To Brazil” from Amazon.com, but they are not going to find out. Why? Because my web browser will simply never send my Amazon cookie to the credit card company. The golden rule of cookies is that they are only sent back to the same web domain as they came from. This is important to remember, because it’s the only thing that really protects you from having all the web sites you visit swap information about you. I don’t want my credit card company to know that I bought a bankruptcy book. I don’t want potential landlords to know that I read lots of articles about caring for Boa Constrictors. I don’t want potential employers to know that I read web sites about homemade bombs. They’ll probably take it the wrong way.

Unfortunately, this is one case where the consumer’s interests and the web site’s interests are diametrically opposed. Every web site in the world wants to show you targeted ads. When I visit The Dilbert Zone, they would love to know that I read The Jerusalem Post online and send me an ad for luxury apartments in Israel, because targeted ads sell for a lot more money than non-targeted ads.

Subverting The Golden Rule

Web advertising companies, like Doubleclick, are trying to collect as much information about people as possible, so that they can send them targeted ads. The way they do this is by having their member sites show ads which come from the same web domain.

Here’s an example of how this works: I go to The Jerusalem Post to read the latest news. The Jerusalem Post web site includes an advertisement which is actually served up by the Doubleclick web server. Now Doubleclick opens a file on me and sends a cookie back to my web browser.

Later that day, I go to the Dilbert Zone. Dilbert also includes an advertisement, also served up by the Doubleclick web server. Remember, The golden rule of cookies is that they are only sent back to the same web domain as they came from. So my naive web browser says, “Oh, you’re going back to Doubleclick, I’ll just tell them that you’re the same person that was here before…” and now Doubleclick knows that somebody who went to The Jerusalem Post before is now visiting Dilbert, so they show me that ad for the expensive apartment in Israel.

Passport Has Another Way

The Doubleclick trick for sharing your information only works for ads, but Microsoft Passport found a way to work around the golden rule for any site. Here’s how it works.

Go to http://www.hotmail.com. Watch what your web browser does. You’ll see that your browser first goes to Hotmail for a second, then jumps to www.passport.com for a split second, and  then immediately goes right back to Hotmail. What’s going on? 

It turns out that there’s a feature to allow a web page to tell your browser to go somewhere else instead. For example, if you try to go to eCrap.com, that site might tell your web browser “Oh, we’ve gone bankrupt. Please go to our lawyer’s site instead, DeweyCheatumAndHowe.com.” It’s called a client redirect

That’s what Hotmail is doing. It only takes a couple of seconds, but while it’s happening, Hotmail and Passport are communicating through your web browser about who you are.

Now, if you go to another Microsoft web site, say, www.investor.com, the same thing will happen: you’ll get redirected to Passport and then back to Investor. Because Passport is “telling on you”, even though your web browser is supposed to be protecting your security by following the golden rule of cookies, it’s really Passport that is signing you in. Bottom line: Hotmail knows that you’re the same person that just went to Investor. And that applies to any Microsoft web site: Slate, Expedia, Hotmail, Investor, MSN, etc.

The way Passport uses client redirect to subvert cookie security is basically just taking advantage of a security hole in web browsers. Cookies weren’t meant to allow this. But you can bet that this is one security bug that Microsoft is not going to fix.

To Summarize:

The golden rule of cookies that protects your privacy is that they are only sent back to the same web domain as they came from. Microsoft Passport eliminates this protection allowing any Passport site to share information about you.

2. How Passport Will Be Developed

The supposed benefit of Passport to consumers is that it allows them to use one login and password to access all the Passport web sites. 

But the benefit to the web sites is much greater, because now they can pool and share their information about you. Let’s take a hypothetical example that’s possible today. Microsoft’s online travel agency Expedia is a Passport web site, and Microsoft Investor is too. One day, Expedia could start offering higher fares to customers who have more than a million dollars in their Investor stock portfolio. There’s not really anything technically impossible about this, and it’s probably legal, too.

Web businesses would love to have a way to combine their files on you. And the more businesses that have the opportunity to combine their files, the more valuable it is. There’s a network effect going on here (a.k.a. Metcalfe’s Law): the value of a network of web sites who swap data is the square of the number of sites in the network, because every site can exchange data with every other site.

The spooky thing about Passport is that there’s one company that serves as the gatekeeper to joining the network: Microsoft. Which is why this has the potential of being a phenomenally valuable business. 

There are many ways Microsoft can profit from Passport. They could charge a commission when web sites sell data about consumers. They could sell private information which they collect from their participant sites. Or they could just charge web sites to belong to the network. It’s a great business that makes credit agencies look like they have nothing.

The scary thing is that if you use Internet Explorer, Microsoft controls your web browser. You can be sure that Microsoft would love to eliminate that nasty two second flash while your web browser is redirected through passport.com. I’ll bet there’s a feature under development for a future version of IE that will make Passport just be built into the web browser, or even built into the operating system itself. Don’t believe me? Here’s a quote from Microsoft’s .NET white paper:

Building on Microsoft Passport and Windows authentication technology, [Windows.NET] provides levels of authentication ranging from passwords and wallets to smart cards and biometric devices. Enables developers to build services that provide personalization and privacy for their customers, who in turn can enjoy new levels of safe and secure access to their services, no matter where they are or on what device. Supported in the first major release of Windows.NET, code-named “Whistler.”

Notice the way Microsoft acts as if they are providing “privacy” and a “new level of safe and secure access.” Uh huh. The best way to lie is through repeated assertion until eventually nobody notices the lie.

Passport will be built into IE, it will be built into the operating system, and it will be made available as a programming interface so that developers can use it, and frankly, there goes your last defense against corporations building up gigantic super-databases with outrageous amounts of personal information about everyone.

Yeah sure, Microsoft promises to protect your privacy… Does anybody really believe this for a minute? Every day there’s a new story about a security breach — Hotmail itself, a Passport site, had a major security breach a couple of months ago that made it into the headlines. During the next wave of web based business failures, we’re going to start seeing a lot more stories like the one about how toysmart.com, as soon as they went bankrupt, reneged on their promise to protect the privacy of their customers. Even the best laid plans to protect consumer’s privacy don’t work. There are always software bugs and security goof-ups. Unscrupulous employees on the inside abuse their ability to look at the database. Court orders and subpoenas force companies to divulge information they promised to keep secret.

If Microsoft was honest about protecting your privacy, they would let users keep their private information on their own computers, and they would ask you every time they were going to reveal some data.

But they’re not being honest. They want all your data in a big database on their server, thank you very much, and they want you to click “I Agree” to the 27 pages of legalese which says things like “Microsoft reserves the right to amend this agreement at any time.” If you really trust any Internet company to protect your privacy, I’ve got a bridge to sell ya.


Read some of my reader’s responses.
JunkBusters on Microsoft and Privacy

Anonymous Response

An anonymous response from inside Microsoft on my article Microsoft Goes Bonkers writes:

It’s not just you…many of us at MS don’t even begin to understand what .NET is (and I even work on Passport, the shining example of a “web service”). Management spent nearly a year explaining how everyone needed to focus on NGWS and how we could all fit into the vision – without ever describing the goal. It was the proverbial answer in search of a question. All of a sudden it has a new name, seemingly an attempt to hide the fact that it still has no body. And to make things worse, they throw in a brand-new programming language which is really nothing more but a copy of java which is unfinished, hasn’t been tested for five years, and lacks a large standard library.
I’ve asked around how this new .NET plan differs from everything we’ve been working on the past two years and haven’t been given a decent answer.
“What’s a web service?”
“Look at Passport! THAT’S a service!” (they love saying that one)
“You mean a web service is just another site that you visit that drops encrypted cookies on your machine?”
“No no no. It enables people to work together! It empowers companies to share information!”
“You mean it lets partners access information that _WE_ maintain in a central repository? How is that different from any other website?”
“We allow users to interact with the service! It’s not a static vision of the web! It’s a two-way collaboration!”
“You mean users fill out forms to create an account. And then we let them access it. What is new about that?”
The answers just kept getting more incomprehensible.
I don’t think we know what .NET is. It is becoming all things to all people and the vision continues to grow. Every product that ships in the next two years seems to be added under the umbrella. I’m amazed more people haven’t laid into us for being so vague. Perhaps .NET is nothing more than a hopeful solution to a deeper problem…a lack of focus in the company – a missing goal and rallying point. Unfortunately, we need a lot more than hand-waving right now.
Thanks for the intriguing posts!