Unknown Unknowns of Buying Online Businesses


“Reports that say that something hasn’t happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns — the ones we don’t know we don’t know. And if one looks throughout the history of our country and other free countries, it is the latter category that tends to be the difficult ones.”

We’ve all heard the Donald Rumsfeld quote about the “Unknown Unknowns” by now. It’s easy to laugh at until you find yourself faced with a situation where an unknown unknown from a business you bought, or a project you inherited, creeps up and surprises you. Hence, that is why they “tend to be the difficult ones”.

One of the biggest unknown unknowns in taking over and running someone else’s project – whether it be their code base, their old business, or even a school project – is where the former user failed to point out – either on purpose, or malice, or through sheer neglect – a few details about their project that are essential for your long term success and viability.

I would wager that it’s not even possible to remember every single detail one would need to share with a potential new business owner, no matter how small or insignificant the business project may be to the seller or buyer.

Even the simple sale of a basic, low 5 figure Amazon Associates website will have a few particular unique qualities about it that might not be properly conveyed to a new owner.

Amazon Affiliate Unknown Unknowns

Many years ago, I purchased my first Amazon Associates affiliate website to get my feet wet and see if acquiring websites as assets for a portfolio of cash-producing investments was something I would enjoy. (The answer turned out to be a resounding Yes!)

What the seller forgot to mention was that all of the tracking ID’s that were passed to Amazon when a user clicked on an Amazon product link weren’t really set in the Associates WordPress plugin where it appeared they were set. Those settings were actually overridden from a different location, leaving the sellers associate ID’s intact and mine “accidentally” overwritten.

Basically, the seller was hijacking my affiliate tags and substituting his despite it looking like mine would be used, and I would get credit for the sale.

(Incidentally, this is how Honey works; they hijack the transaction when you click “Apply Coupon” and slip their own associate ID into the mix, removing the ID of the originator that sent the buyer to Amazon in the first place. For some reason, nobody other than affiliates relying on Amazon Associates for income feels this is unethical, which I believe it is.)

Keep in mind, a broker specializing in transferring Amazon Affiliate websites swapped my associate’s ID for the sellers before transferring the site to me and didn’t even notice that the seller was still going to get credit for future sales. Trust, but verify.

At the time, I don’t even know such a problem was even possible; it was unknown to me that such risk even existed. One could argue it’s known that sellers might try to cheat you, and it’s just unknown how they will do it. Yet, as green as I was, it was unknown to me that someone would try to sell me their site and still keep their IDs in the process, and it was certainly unknown to me how to detect such trickery.

That’s the danger of being new, naive, and not researching as much as humanly possible when starting on a new venture.

Everything I read was public. Anyone could buy the same books and magazines. The same information was available to anyone who wanted it. It turns out most people didn’t want it.

– Mark Cuban on the secret to his success in the computer business

Only after days of digging into the WordPress source code (to solve a completely different problem) did I realize that this developer had set the ID’s in the child theme’s javascript, not via the plugin normally used to set these types of ID’s.

It was a bit of a magic trick – obviously on purpose – where I would change the IDs in the Amazon plugin he claimed he was using to set the affiliate IDs. However, unknowingly, those values were overridden by the javascript affiliate ID’s of his own that were still left in the theme settings. But only a certain percentage of the time, there was a rand() function that only caused this substitution to happen occasionally.

I wonder how that type of seller would trick many non-technical people? They would see a drop in sales immediately after the sale and think traffic was down 20-30% due to the seller removing a PBN or one of the many other usual downticks in income after a sale. There’s little risk to the seller, as the seller is still getting some perpetual income and a purchase price on top of it to boot.

That’s an unknown unknown that I never, ever would have thought of…until I found it. Now I know, but how many more unknown unknowns are still out there that I don’t know about?

Github Code Repo Unknown Unknowns

Could there possibly be unknown unknowns still lurking in a business you’ve been running for 5 years?

Obviously, yes, there could be…

Alerted by Dead Man’s Snitch to some issues with one of our proxies, we slowly discovered that a library we depended upon had been deleted in Github.

How could that happen? What library did we depend on – that we didn’t control – was lurking in our code?

After considerable digging, reviewing backups, and head-scratching, we realized that a prior developer that worked for us was cleaning out his Github repos that he didn’t use any more. He was interviewing for a new position and wanted to clean up his Github profile…a completely logical and sensible move.

Yet, one of those repos he was cleaning up was inserted at some point in the past into our codebase when he worked for us, but it still was called by one of our processes. Obviously, deleting it caused the problem.

The solution wasn’t too hard. We could pull back an old copy of the code and bring it into our private repo. However, what a shock to find that someone who was no longer with our project still had his hands deep within our business!

I’ve been at the helm for over five years, and a developer was able to slip in his own code into the project, leave, and still be able to bring my business to a screeching halt.

That’s pretty much the worst of the unknown unknowns.

Should I have caught it beforehand? Well, I guess so, I’m the owner, and all responsibility falls on my shoulders, the good and the bad.

However, our product is fairly distributed, and I’m not sure, even if I knew that there was code in our files that we didn’t fully control, that I could have found this particular situation.

There still may be some remote library reference that could go offline in the future and catch us completely flat-footed.

The only known thing about that situation is that it will cause a problem at the worst possible time because that’s how it always happens. That I do know.

Challenges for Non-Technical Buyers

I believe that one of the hardest parts for non-technical buyers of technical/online businesses is that by not knowing the nuts and bolts of the underbelly of the business, their blind spots increase, and the number of unknown unknowns that can devastate your cash flow increases exponentially.

I’m not saying that non-technical people shouldn’t buy an online business, far from it, but what I do want to point out with this essay is that not knowing how to build what you are running carries an unquantifiable risk.

In many ways, I think of online business buyers, like myself, like general contractors. General contractors (GC) manage a large project from the top, overseeing resources allocation, scheduling time management for personnel and little bits of code, and taking responsibility for the results.

What I don’t see very often is a construction project with a lead general contractor who has never worked in construction on his or her way to reaching that top-level status. In fact, I would expect that all GC’s know the fundamentals of electrical wiring, bricklaying, fabricating a structure, and framing a house. When you’re going to operate a business solely based on the Internet, technology, and code, and you don’t know your DNS from your DMZ, there’s a considerable amount of risk introduced by that lack of knowledge.

If you aren’t knowledgable in the area of business you prepare to invest in, you owe it to yourself to spend some time learning about the fundamentals of technology and online companies before you risk your time, money, and reputation on a business that’s completely virtual, rarely understood by outsiders, and difficult to protect if you don’t know the risks.

I’ll do my best to help educate via sharing my experiences, but make sure you utilize every resource possible. Read books, take classes, even do a small website design project yourself.

That’s the type of focus and engagement with your future that can help eliminate those types of unknown unknown risks…

The Future – Customize Solutions Trojan Horse

I still have an unknown unknown that I have yet to solve to this day.

I purchased a business from a very skilled technical owner who had customized a considerable amount of an open-source shopping cart platform. It created really wonderful solutions for customer problems, but I always had a nagging feeling that something in the platform was there waiting for me, watching my every sale.

The whole business was too specialized, too personal, and too difficult to figure out where every piece fit without intricate knowledge of how each piece fit together and why it was done that way in the first place.

With this particular project, the seller-financed a majority of the purchase price (so he was still invested in the success of the business), and I was always concerned that if he were disappointed in how I was operating the business, he would reassert his control over the entire platform and shut me out of it. Certainly, he had left some Trojan horse or backdoor in there somewhere, right?

What would be my recourse? You can shut someone out of a software business very easily by changing a few permissions, records, or ownership details. Even if you can’t gain full control back, you can certainly keep someone from operating their business at 100% capacity for long enough that you could prevail in a hostile takeover (would that be a “takeback”?).

Was this something worthwhile to be concerned with on this project? Should I have someone looking for backdoors or a name record not properly listed for my business somewhere? Or would that be a paranoid waste of time?

Fortunately, nothing ever came of it, as the business was never harmed (as far as I know).

Yet, that’s the flip side of unknown unknowns…what if you try and know something by assuming it must exist, but it doesn’t?

One could wrap themselves in a pretty tight knot over these types of concerns, fabricated or not.

So what unknown unknowns are there lurking in your business right now?