Acquisitions are the most common exit for venture-backed consumer software companies, and the privacy software sector is no exception. Understanding the pattern isn't cynicism — it's how you evaluate the long-term risk of relying on any privacy tool whose business structure includes an exit.
Here's a look at some of the clearest cases, what actually happened, and what it tells us about the structural risks of acquisition.
A Timeline of Privacy Erosion After Acquisition
WhatsApp → Facebook ($19B)
WhatsApp launched in 2009 with an explicit anti-advertising stance. Co-founder Jan Koum had grown up in Soviet Ukraine and was deeply suspicious of surveillance. The service charged $1/year and pledged never to show ads. The acquisition by Facebook was announced with assurances that WhatsApp would operate independently.
By 2016, WhatsApp revised its privacy policy to share phone numbers with Facebook for ad targeting — despite having promised in 2012 that it would never do so. The FTC investigated whether this violated the original acquisition terms. The EU fined Facebook €110 million. Both founders had left the company by 2018. By 2021, WhatsApp updated its terms to further expand data sharing with Meta services. The privacy commitments made at acquisition exist in archived form on the Wayback Machine; the current product is substantially different.
Skype → Microsoft ($8.5B)
Skype was the dominant encrypted VoIP service before the Microsoft acquisition. Microsoft's 2013 PRISM participation — revealed in Snowden documents — included Skype. Microsoft allowed the NSA to collect Skype video calls and messages. Whether this was technically feasible before the acquisition is debated; what's documented is that by 2013, Skype communications were accessible to US intelligence under PRISM. Microsoft redesigned Skype's architecture in 2012 — shifting from a peer-to-peer model to a centralized one — which made interception substantially easier.
Wickr → Amazon Web Services
Wickr was a well-regarded encrypted messaging platform used by journalists, legal teams, and security-conscious enterprises. It offered disappearing messages, end-to-end encryption, and a genuine privacy focus. Amazon acquired it in 2021. In 2023, Amazon shut down Wickr Me — the consumer-facing free version — entirely. The enterprise product (Wickr Enterprise) was retained and rebranded as AWS Wickr, targeting government and enterprise clients. The consumer privacy tool ceased to exist. Users were given migration instructions; their conversation history was unrecoverable after shutdown.
Tumblr → Automattic (after Yahoo → Verizon)
While Tumblr isn't primarily a privacy tool, its ownership chain illustrates acquisition risk. Yahoo acquired it for $1.1B in 2013. Yahoo was later acquired by Verizon and folded into Oath/Verizon Media. Verizon sold Tumblr to Automattic for a reported sum under $3M in 2019 — a 99.7% loss in six years. User data, content policies, and the product itself changed substantially with each ownership change. The privacy policy users agreed to at signup bore little relationship to how their data was handled under subsequent owners.
SpiderOak → partial wind-down
SpiderOak was an encrypted cloud storage provider with a genuine zero-knowledge architecture — Edward Snowden explicitly recommended it over Dropbox. The company struggled commercially despite strong technical privacy properties. Their encrypted messaging product, Semaphor, was discontinued. The core backup product still exists in reduced form. This case illustrates a different risk: not acquisition but abandonment. A privacy-focused product with insufficient revenue doesn't need to be acquired to fail — it can simply lose funding and stop being maintained.
The Mechanism: Why Erosion Happens
Acquisition-driven privacy erosion isn't usually the result of bad faith. It's structural. When a company is acquired, several things change simultaneously:
- Ownership changes. The founders who built the privacy commitment may no longer control product decisions. They may have contractual lockup periods but limited ongoing influence.
- Revenue pressure changes. The acquiring company paid a significant sum and has return expectations. A product that was sustainable as an independent, subscription-focused service now needs to fit into the acquirer's business model — which is often advertising or data monetization.
- Privacy policies are not contracts. A privacy policy can be updated unilaterally with notice. Users who agreed to the original policy have no legal claim to the previous terms in most jurisdictions. The FTC has taken action when changes were particularly egregious (as with WhatsApp), but routine policy updates are largely unchallenged.
- Technical architecture may be centralized. Skype's architectural shift from P2P to centralized servers during the Microsoft transition is the clearest example. Centralization makes the product more manageable for the acquirer — and easier to surveil.
Privacy degradation after acquisition rarely happens in a single visible step that triggers user outrage. It happens through a series of small policy updates, feature changes, and gradual data-sharing expansions — each individually justifiable, collectively representing a fundamental change in what the product offers.
What Users Can Do
There's no acquisition-proof privacy tool, but there are ways to reduce acquisition risk:
Check ownership structure. Is the company VC-backed with investor pressure toward an exit? Has it taken outside investment? Bootstrapped and subscription-funded companies have no exit on the roadmap and no investor mandate to pursue one.
Check open-source status. Open-source clients make architectural degradation visible — anyone can examine whether the encryption implementation has changed. Signal's client being open source means the community would notice if encryption were weakened. A closed-source app can change its implementation without any external review.
Check for change-of-control provisions. Some privacy services include explicit terms that prohibit data use changes upon acquisition, or require user consent for changes to core data practices. These aren't legally iron-clad, but they signal intent and create at least a reputational commitment.
Prefer services where the encryption model limits damage from acquisition. A service that never holds your encryption keys in a usable form can't hand them over even under new ownership. Zero-knowledge architectures reduce the value of the user data to a potential acquirer — which both limits what an acquirer can do with your data and reduces the incentive to acquire in the first place.
The Honest Question for Any Privacy Tool
When evaluating whether to trust a service with sensitive communication, the relevant questions aren't just about today's policies. They're about trajectory:
- What happens to this service if the founders leave?
- What happens if it's acquired in a down market for $50M instead of $500M?
- What happens if it runs out of funding in three years?
- What data would a new owner have access to, and what could they do with it?
These questions don't have comfortable answers for most VC-backed apps. They're not meant to. The point is that privacy is a long-term property — it needs to hold up across management changes, ownership changes, and business model pressure. Services that are structurally aligned with privacy in their funding model, architecture, and legal posture are more likely to maintain that alignment over time than those that rely solely on current leadership's good intentions.
Good intentions don't survive acquisition. Architecture does.