Fizz: Investigating Campus’ Newest Phenomenon

The Dark Ages—

On February 17 of this year, partakers of debauchery, whistleblowers to fraternity drama, and gossipers alike quaked in horror as Librex, that most popular of apps for the Dartmouth undergraduate, shut down. All posts and users on the platform were deleted and no longer accessible by that evening. Librex had been released in 2019 by Ryan Schiller, a Yale ’23 and staunch free-speech Libertarian, to serve as a “safe space” for free speech and discourse in Yale’s (apparently?) judgemental social scene. The main feature of the app was its promise of total anonymity. Unsurprisingly, the app quickly turned into a hotbed of verbal abuse and problematic content. Despite this, according to Schiller, Librex grew to over 6,000 daily active users, with immense popularity at Yale and, in particular, at Dartmouth.

The fall of Librex left students in a proverbial dark age, with competing anonymity apps vying for its place as the leader on Ivy League campuses. One option of note, YikYak, is a notorious platform for anonymous interaction limited only by the geographical area of its users. Despite its promise of a community that is  “authentic, equal, and empowered,” YikYak fostered a comically abusive, racist, and bigotted community. YikYak shut down in 2017, only to emerge once again in 2021, with over 2 million users in the first several months. 

Rise—

The newest app on the block claiming to solve the toxicity issue is Fizz, the brainchild of Stanford dropout Teddy Solomon. Fizz has pledged to change the streak of toxic communities while preserving the promise of anonymity. Its main difference: a federated moderation system. Whereas Librex had a small and centralized moderation team, Solomon, the app’s founder, asserts that Fizz recruits moderator teams in every university into which it expands. “Each community has their own language,” observes Mr. Solomon. Indeed, Dartmouth is notorious for inventing an entirely new lexicon. No Yale student would ever understand, for instance, the meaning of “DBA Daddy,” “Evil Novak Lady,” or even “Tails.”

Fizz has pledged to change the streak of toxic communities while preserving the promise of anonymity. Its main difference: a federated moderation system. Whereas Librex had a small and centralized moderation team, Solomon, the app’s founder, asserts that Fizz recruits moderator teams in every university into which it expands.

Mr. Solomon’s venture began when he put together a group of twenty-five Stanford students to travel to Scottsdale, Arizona (even he had no idea why he chose Arizona). Finding himself so disconnected from the Stanford community, Mr. Solomon ideated Fizz. His primary realization was that a centralized moderation team will not effectively work in school communities due to the prevalence of inside jokes. 

Having pinpointed the main flaws of competitors, Mr. Solomon and his co-founder launched a beta build of the app in early 2021 in Florida. After getting positive feedback from his peers, he went AirBnB-hopping across the country to beta-test the app. Then, in the summer of 2021, when Stanford allowed its students back on campus, the founding team walked across the campus, dropping flyers in front of doors. Within weeks, 7,000 people had joined the app. 

With these strong initial figures, Fizz raised a moderate 7-figure seed round in December of 2021, approximately five months after launching at Stanford. Granted that the venture climate during 2021 was characterized by inflated valuations and loose wallets, seven figures is an impressive seed round for a social media platform in this decade. The app quickly spread to Rutgers, UT Austin, the rest of the Ivy League, and finally Dartmouth. If you noticed someone you had never seen before standing among the group handing out donuts in front of Collis, chances are it was Mr. Solomon.

Since raising his seed round, Mr. Solomon hired a group of 21 people to the team and purchased a house near the Stanford campus. The team leads a stereotypical start-up life. Some Stanford students talked favorably about parties at the “Fizz house.” When asked what his vision for Fizz was, Mr. Solomon said that he envisioned Fizz on every campus in America, creating an authentic connection between students in the medium term. With a focus on anonymous and safe communication, Mr. Solomon hopes Fizz will decrease social anxiety. In the long term, Fizz wants to become the hyper-local platform for different local communities. 

A Matter of Anonymity—

Of course, the question for every social media company is how to get to profitability. When directly asked about Fizz’s path to profitability, Mr. Solomon responded that he had no idea. While honesty is appreciated, in a down-market environment, possessing a social media platform without a path to profitability is the worst possible position one could be in as a founder. While Mr. Solomon maintains that access and reach to exclusive college communities is a distinct competitive advantage, it is unclear how to monetize that resource. Even if monetization was possible, with such a high valuation, it is unclear whether that would be enough to become profitable. 

When companies and individuals become desperate, principles get abandoned, and promises get broken. To Fizz’s credit, its privacy policy is very tightly written, strictly prohibiting the sale of any private data to any third party. Mr. Solomon has also promised that Fizz will always “100%” stick by its word regarding data privacy. However, even if Mr. Solomon’s word can be trusted and Fizz’s privacy policy remains unchanged, data security goes beyond not selling to third-party sources. Since Fizz promises that users can “post anonymously,” three primary considerations must be made to ensure anonymity:

First, will the data ever be sold to a third party? The answer to this seems to be a cautiously confident no. 

Second, how is the data being stored? Will users’ posts and interactions stay anonymized in the database? 

Third, are the database and interfaces to the database configured and secured properly?

The answer to the final two questions is more complicated than that to the first. An app like Fizz can either be externally anonymous or truly anonymous. To be externally anonymous means that, through app logic, users will be prohibited from viewing the identity of other users. This could mean that, even if one posts “anonymously,” one’s identity may still be tied to the post but just be hidden from the public eye. On the other hand, measures can be taken to make data truly anonymous, meaning that no one, not even the employees of Fizz, in this case, would be able to link identities to posts. Fizz could, for instance, discard de-anonymizing information like people’s emails and phone numbers after registration and identity verification. At the very least, de-anonymizing information should be stored in a separate non-public-facing database with limited access, even for Fizz employees. 

Fizz is not simply a place for memes or throwaway comments. As we’ve seen with Librex in the past, people used it to express intimate parts of their lives: calls for help, family issues, and relationship troubles, to name just a few. Therefore, the promise of anonymity, which Fizz makes clear on its website and flyers, should be treated with high technical scrutiny.

As we’ve seen with Librex in the past, people used it to express intimate parts of their lives: calls for help, family issues, and relationship troubles, to name just a few. Therefore, the promise of anonymity, which Fizz makes clear on its website and flyers, should be treated with high technical scrutiny.

Questionable History—

Unfortunately, we do not know whether Fizz treats its promise of anonymity to such a high standard. According to an anonymous source intimately close to the matter, a “cyber-security expert” was able to gain unauthorized access to Fizz’s database. He found that all of the app data was hosted on Firebase, Google’s infrastructure-as-a-service platform, with no hashing, encryption, or obfuscation mechanisms to protect anonymity. In fact, he could download metadata for all posts—metadata that was directly linked to private email addresses and phone numbers. 

While hacking any system that the hacker does not personally own is, to be sure, a criminal offense, tech companies typically welcome it so long as the steps to reproduce the exploit are disclosed to the company within a reasonable timeframe to effect a fix. For instance, Google awarded more than $8.7 million in 2021 alone, through its Vulnerability Reward Program, for these kinds of disclosures. “Penetration Testing” is a safe and integral mechanism that keeps all of our critical internet services private and secure.

However, when the individual in question approached Mr. Solomon and the rest of the Fizz team about his concerns, he found himself the recipient of a letter from Fizz’s legal counsel, which told him the issues had been addressed but also accused him of violating two federal laws. He was informed that, unless he signed a strict Non-Disclosure Agreement about his discoveries, Fizz would pursue legal action against him. Fortunately, this individual himself retained counsel, and Fizz eventually backed down from its legal threats.

Since receiving this information, The Review has reached out to Mr. Solomon for further comment (first on July 19, a week after our initial interview with him about Fizz, and then again on July 25). Unfortunately, we received no further comment from Mr. Solomon.

If the anonymous source to whom we have spoken is to be believed, Fizz’s behavior is unacceptable, especially for a platform promising anonymity and a safe space to discuss even the most intimate of issues on campus. The correct response to the individual would have been to make a public announcement of the vulnerability, outline a plan for correcting the vulnerability, and offer him a handsome reward for his contribution to the improvement of Fizz (as is standard in other tech firms). At the very least, he did not deserve a legal threat in exchange for counterproductive silence. 

Again, if our source is to be believed, even if Mr. Solomon and Fizz never sell any data to third parties, deanonymizing metadata directly correlated to every user’s posts, comments, and private messages will be available for select members of the Fizz team to view freely. Also, if Fizz were ever hacked again (perhaps by a black-hat hacker this time), all user interactions would become available to the highest bidder. How data is stored internally is essential to privacy and anonymity. Since Mr. Solomon did not comment on this issue, we can only hope that the issues have been resolved through the proper steps necessary to maintain anonymity.*

A Reflection on Technology, Overall—

The pitfall of modern technology, especially with the advent of blockchain and advanced encryption, is that it lulls us into a sense of false security. We’ve repeatedly seen that so-called “secure” services are not secure at all. Blockchain and decentralized finance startups are hacked and their networks and infrastructures exploited on a regular basis (Audius, Harmony, crypto.com, etc). Telegram, which millions of people trust for private encrypted messaging, has several vulnerabilities ranging from the trivial to the academic but detrimental. Even systems thought to have been impenetrable, such as the Tor network, have been used and abused by world governments and private actors to deanonymize a significant amount of private traffic. Time and time again, technologies promise an unexploitable and incorruptible future that inevitably gets broken. Thus is the path with all things made and used by man. We are imperfect machines that inevitably make systematic mistakes.

We should remind ourselves that the best technology is no technology at all. If we wish to speak privately, we should not reach for an encrypted chat service but a private room. If we wish to transact without government interference, we should pay with cash (or gold, if you’re that kind of person). If we wish to leak government secrets, well, please go and work for a different country. No amount of quantum encryption technology or clever engineering will ever solve issues that are fundamental to our existence. There will always be bad actors looking to exploit systems. The less complicated the system is, the easier it will be for us to manage and mitigate attack vectors. 

Fizz—

As for Fizz, it does not promise cryptographic security, and, according to our source, it does not offer true anonymity. Of course, in an ideal world, it would be in the best interest of the social platform to do so, but this is not an ideal world. With Fizz’s alleged data leak history, we appear to live in the farthest possible reality from this ideal world. 

The best way to confide in others without the fear of getting de-anonymized or having unwanted actors listening in would be to do so in person. In principle, we should never put too much trust in Fizz (nor should we have in Librex) to keep our data secure and private. 

Fizz will most likely become a successful platform because its founders were recently students themselves and their identified pain points are fundamental to the college experience. One can only hope that, as they amass more private data from the world’s future leaders, Mr. Solomon and his team appropriately reckon with the power they’ve been handed and treat their promise of anonymity to the highest degree.

* Even the mostly brilliant federated moderation system employed by Fizz could quickly turn sour. According to another anonymous source close to the matter, relatively high turnover rates are not uncommon among Fizz moderator groups. Moreover, as moderators have a certain quota of posts they need to make and posts with which to engage (either through comments or upvotes), they hold significant power in determining what content is disseminated on the platform and viewed by its users. These quotas also serve to partly explain some absurdly high “karma” numbers on the Dartmouth Fizz leaderboard.