Your Triplebyte profile will NOT contain any data/details about you or your job search that will undermine you at your current employer. We should have included a screenshot and more details in the email. I'll talk to my team about following up with more details tomorrow. We are talking about a lightweight profile, like your Stack Overflow or HN profile, to provide us the canvas to release badges. That's it.
Even so, the decision to make this opt-out instead of opt-in is extremely questionable. If it’s just a spot to put badges, why is it so critical that it be rushed through next week? And why are you so carefully avoiding talking about the opt-out when a significant chunk of the people in this thread are telling you that it’s the main thing they’re upset about? “Sorry that you feel this way” is the worst kind of corporate-speak non-apology that makes it clear that you’re apparently not interested in responding to feedback, but just making soothing sounds at everyone until the smoke clears and you get to continue doing exactly what you planned.
> If it’s just a spot to put badges, why is it so critical that it be rushed through next week?
I'm guessing it's because their corporate metrics took a dive due to covid hiring slowdowns and now they need to justify their worth to investors who have put in $50 million.
I would suggest you step away from any scripts and turn on the company ears. Simply explaining what is going on more “clear” and repeating it more often probably won’t get you anywhere good.
Why does this make your users uncomfortable? How can you work with them to achieve your product goals without undermining your relationship with them?
I strongly object to characterizing this situation as a PR disaster. The problem isn't that TripleByte is perceived as doing something unethical. The problem is that what TripleByte is doing is unethical.
You’re not wrong, and as far as you and I are concerned, that is the problem.
From TripleByte’s perspective it is a PR disaster, or at least we should treat it as such. Appealing to TripleByte’s internal moral compass is unlikely to succeed since they’ve demonstrated that they don’t have one. So we resort to appealing to their self-interest, since that is something they care about.
I'm not ready to write people off and conclude that the Triplebyte team have no moral compass. Certainly many business people do lack a moral compass, and they show a lot of the signs. But writing off people as simply bad people is a pretty extreme step.
But whether these particular business people have a moral compass or not is irrelevant to whether we should be discussing this as a moral or strategic mistake:
1. If they have a moral compass, then the strategic mistake pales in comparison to the ethical mistake, and they'll get that. We should be encouraging people to listen to their conscience, not teaching them to equate their conscience with selfishness.
2. If they don't have a moral compass, then we shouldn't even be talking to them, we should be talking to each other about how we dis-empower them and remove them from positions where they can do harm. Even if we persuade a narcissist or sociopath that it's in their best interest to do the right thing in one situation, they'll just be presented with a new situation where they think it's not in their best interest to do the right thing. If they really are just bad people, they should be treated as the blight on society that they are.
> I'm not ready to write people off and conclude that the Triplebyte team have no moral compass.
I’m not going to pronounce any absolute judgment or certainty about this, but I think it’s a serious possibility for us to consider.
> If they don't have a moral compass, then we shouldn't even be talking to them, we should be talking to each other about how we dis-empower them and remove them from positions where they can do harm.
I won’t ever use TripleByte again; will you?
> Even if we persuade a narcissist or sociopath that it's in their best interest to do the right thing in one situation, they'll just be presented with a new situation where they think it's not in their best interest to do the right thing.
I never accused anyone of being a narcissist or sociopath. Those are relatively extreme conditions. I’m simply describing people who have bad intrinsic moral character. And the world is filled with these people. As a society, we elicit good behavior out of these people by creating and applying incentives. It turns out that PR is one such incentive. Laws are another.
True, but we're talking about problems here, not things working correctly. The ethical disaster is the problem. An ethical disaster should result in a PR disaster. If an ethical disaster results in a PR disaster, that's not a problem, that's the system working correctly.
I have absolutely no interest in helping companies who pull shit like this recover from their PR disasters. If you do something like this, you deserve all the bad press you get.
The rhetorical technique that annoys me the most plays out like this...
Me: Thing
You: I hate that thing
Me: You don’t understand Thing. Here’s Thing explained.
You: I understand Thing, I still hate it.
Me: You don’t understand Thing. When you understand it, you’ll like it. (Repeat)
Sometimes this is stupidity thinking that understanding is missing, but I think it’s usually shady just so they have something to say to counter the objection that is visible to people outside the conversation, who are interested, and at least see some form of technical interaction.
There needs to be a catchy name for this type of interaction. I loathe it as well and it's annoyingly common. Companies that rely on this behavior should be called out repeatedly.
Willful misunderstanding?
Confusion redirect?
Defray to diffuse?
The technique seems super common now, and I’ve been expecting to run into it in some communications training, but haven’t yet.
I feel like there’s some crisis PR tactics this fits into that involves “Never disagree, redirect and ignore.” It diffuses criticism and makes it hard to argue.
It seems related to when I see a complaint on a review site that’s been responded to with “I’m the manager, please call me.” It doesn’t resolve the issue, but it shows that someone is doing something, so it diffuses pile on because it stops complaints of ignoring customers.
Opt-In doesn't help them achieve their product goals.
Triplebyte as founded isn't working so they're trying to take a valuable asset they have (engineers looking for jobs) to compete with linkedin
The problem with bootstrapping a linkedin competitor is the same chicken-and-egg problem with networks generally. You need people on it for people to join it.
What Triplebyte wants is your identity public. That's the product goal. The problem is that opt-in won't get them that. What are the incentives for anyone to make theirs public?
How many people who were searching for a job without telling their company are going to opt-in to make that public?
Most certainly not enough to bootstrap a LinkedIn competitor.
So someone had the idea to move fast and break things, either:
a) hoping no one would notice
b) hoping the fallout wouldn't be bad
c) not caring that the fallout would be bad
d) not knowing that there would be fallout
none of the above are particularly inspiring. It does seem hard to miss this coming
> How many people who were searching for a job without telling their company are going to opt-in to make that public?
I think that's the real issue: timing. The only time this can work is when someone has just resigned or joined a new company, so they can (and are actually willing to) "legitimately" pump up the volume about themselves.
So make it an easy opt-in triggered by these events. Any triplebyte candidate that "closes the deal" should get opted-in automatically. Anybody without an ongoing work relationship, should get opted-in automatically. Everyone else, you hold fire until something significant happens publicly, at which point you gently prod them. You can even ask, when someone signals they are looking for a job, "do you want your profile public at this time? It's a pretty cool thing! If not, no biggie, we'll ask again once things change."
It's not rocket science to do this respectfully and it's sad that they didn't.
> Any triplebyte candidate that "closes the deal" should get opted-in automatically. Anybody without an ongoing work relationship, should get opted-in automatically.
Am I misunderstanding you? If you "get opted in automatically", then it's no longer opt-in; it's opt-out.
But doing it all at once and having it opt-out accomplishes that. If "John Smith" has a public TripleByte profile next week, as a third party the only signal I can get out of that is that "John Smith" passed the TripleByte interview some time in the past. I'd be okay with this if TripleByte gave a couple weeks to opt-out and made certain potentially sensitive information opt-in. Just make it 4 weeks to opt-out and by default don't display the date they interviewed with TripleByte and don't display "Open to new opportunities". Then just ask the user what they want after new interviews and accepted job offers.
If they made the initial launch opt-in then that signals that the user deliberately chose to advertise that to the world. The message a current employer gets out of something that's opt-in instead of opt-out is notably different. This is just like the whole opt-out fiasco with the Do Not Track header. If it's opt-out, the signal is largely meaningless. In this case that's a benefit.
> Opt-In doesn't help them achieve their product goals.
None of the users care. Just because something is convenient, doesn't mean it's right.
On that note, I wish one day we'll stop letting startups get away with dishonest behavior (e.g. astroturfing) and dark patterns done for the sake of "solving the chicken-and-egg problem". Building a network is hard, tough shit. Doesn't mean you should build your company on lies and disrespectful treatment of your users from the start.
If their goal is to have my identity public, that's a pretty bad goal--certainly not a profitable one.
I own my own business. I'm not looking for a job. Unless something goes really horribly wrong, I won't be looking for a job in 24 months, or ever. Having my profile public doesn't add to the signal on their platform, it adds to the noise. Having my profile public is a waste of time for me, them, and employers looking for someone with my skills.
Hopefully his last too, as the company goes down in flames. But well, scumbag CEOs usually have parachutes (or Mary Poppinsesque umbrellas?) that take them elsewhere..
If someone goes from not having a profile to having one, you know they’re job hunting.
It’s like saying “Your Tinder profile will NOT contain any data/details about you or your dating search that will undermine you in your current relationship.”
The type of relationship is different, but the example still holds. Having a profile at all can and likely will be viewed as an indicator of intention to leave the current relationship for a new relationship. This was how it was viewed having a resume profile on sites like Monster and CareerBuilder before LinkedIn made it the norm to have a public resume.
Time frame is also very important. Example, a user has been with the company for over a decade, but the product has only been around for a few years. Or if one of the "achievements" was a test that was added recently.
But what if you didn't have one yesterday, but you do have one today? What if you have only worked for one employer since TripleByte was founded (2015)? What if the only place you've worked is a startup of which you're a cofounder?
If you can't think of a way in which a privacy leak can have consequences, that doesn't mean there aren't any.
In the sense of a logical implication which follows with full logical necessity: it doesn't.
In the sense of a likely reason for someone to draw an inference: Most people do not specifically seek out excuses to take tests, and do so only because they want something that the test provides them with, such as access to a job-hunting platform. Most people who want access to a job-hunting platform want it because they are job-hunting or plan to be soon.
It's a known interviewing service. The implication by many would be that you took the test because you were interested in interviewing.
Is there another big use case that I'm missing from their product? Interested in hearing your interpretation of a person that has a profile on an interviewing service. My assumption would be the main objective of a user signing up for a service would be using the main product the service provides.
After reading your various comments, I have to ask if you have any relationship with Triplebyte and/or its founders beyond merely using the service. And yes, I would greatly appreciate an answer to this.
I do not, other than having interviewed with them. For the record, I would not care to repeat the experience, either. I found the process unnecessarily stressful and not worth the time investment.
Nonetheless, I don’t find very much wrong with what they do, in general, or what they’ve done here. Do you think because I have a dissenting opinion, I must necessarily be some kind of shill. Come out and say it, if so.
I didn’t know one way or the other, which is why I asked. Perhaps the unspoken bias I’m putting on display is the assumption that no independent observer could possibly think their actions were ethical.
Companies that are worth a shit don't retaliate against people for looking at other opportunities. That's precisely why your Tinder example is not just off base, it's wrong.
Another way to look at it: either you're a replaceable cog, or you're essential to running the business. If you're essential, they're going to do whatever they can to keep you. If you're replaceable, they probably don't care that much whether you in particular stay or go, but it will certainly cost money to replace you, which they'd rather avoid spending.
Only a completely irrational company would cut someone loose just because an online profile with that person's name on it appeared somewhere.
Being fired because you're perceived to be looking for other jobs probably isn't a realistic concern. But being passed up for promotions or missing out on desirable opportunities because you're perceived to be looking for other jobs is a very real possibility, even if you're not easily replaceable.
The Tinder analogy is imperfect because of that, but it's still a good illustration of how just the existence of a profile can destroy your plausible deniability.
If I had to lay off one of two employees in a role, both do the role fine, but I strongly suspect one of the two has been looking to leave... Which of the two am I keeping?
I don't get why you'd think it's okay to suddenly make private information about your users public. The lesson is not "We should've included a screenshot" but rather "We shouldn't automatically opt our users in to sharing information they thought was private.". This is a betrayal of user trust.
I saw your email in my inbox but didn't read it. I never would've noticed with improved screenshots or not. Do you read every email you get?
From a GDPR perspective, for anyone who is able to lay claim to GDPR protections, it wouldn't matter whether this is written in red on the first line of the agreement - "data protection by default" means that you must default to not sharing with an unlimited number of people.
What this means in practice is you can't default anything containing personal info to being public by default.
Yup. One of the best benefits of GDPR is that you don't have to read the fine print anymore, because companies can't legally put anything abusive in there, at least with respect to processing your data.
Absolutely. Article 25(2) is written for this specific situation, and expressly prohibits opt-out situations where personal data might be made publicly accessible:
"In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons."
The fact that this is the top comment and that folks who trusted you are seeing this email first on HN instead of in their inbox means you fucked up. The details of what trimmings you put on the email were not the fuckup.
Not according to your own FAQ[0] on public profiles:
> Your public profile includes any badges you've earned, your basic info (current job title and company, current location, and years of experience), and the tech experience & resume section.
This information can very easily be used to identify a person, especially at smaller companies.
> ... to provide us the canvas to release badges. That’s it.
So before you were taking on LinkedIn, but now it’s just a place to release badges?
Regardless, this breaches GDPR by making data public and accessible to an unlimited audience by default.
I hope (for your sake) that you don't have any users that can invoke their GDPR rights against you by virtue of their citizenship.
For the sake of incentivising companies to do the right thing, however, I hope you do have some EU or UK citizen users who do litigate or have their data protection authority investigate and formally punish Triplebyte, even if only to establish clear precedent here for the future.
In which case, it sounds like at the moment they carry out a "data processing operation" to make your data public, you would have standing to make a formal complaint to your local data protection authority.
Article 18 restriction of processing can apply here. Art. 25 "Data protection by design and by default" would seem to be relevant as well. The section I alluded to above is the latter half of 25(2), saying "In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons."
There's also the question of whether their consent or other grounds of processing suffice, which likely wouldn't for making anything public, but Article 25 makes it clear enough anyway this is illegal.
I am not a lawyer and this is not legal advice but ... I don’t think the European government has legal standing to fine triplebyte. Triplebyte doesn’t have offices, employees or customers in Europe.
A European visiting the US and interacting with an American business does so under the protection of US law, not EU law. This is complicated in the case of Facebook and google because they also do business in Europe, so European courts can fine their European branch offices. But Triplebyte has no such EU presence that the European courts could pursue. And they don’t advertise European jobs. I suspect an EU citizen interacts with triplebyte legally the same way they would if they went to a cafe in SF while on vacation.
The opposite would be crazy. If triplebyte can be fined by the EU, that would also mean the government of Australia or China or Russia could arbitrarily levy fines against any US company if one of their citizens interacted with a US website one time. And everyone would put geo blocks on their websites to protect from liability.
Not a lawyer, not legal advice either, but the GDPR approach to extraterritoriality is somewhat interesting. The presence of offices or employees isn't a strict requirement by law. The law, as written, would seem to apply to a US entity serving EU customers. But international law probably wouldn't facilitate doing anything about that.
Of course there is a question about how you could enforce such a ruling. And if it can't be enforced, is it really a sanction? I guess if countries wanted to take this really seriously, they could get a list of company officers and put immigration flags on those individuals, and hold them temporarily upon trying to enter that country, until the matter was resolved. But that would be rather extreme, and you do raise some good points around which countries can fine the companies of other countries.
CCPA from California seems to have some cross-border implications as well - perhaps we will finally see a framework for privacy laws that works better than today's hotch-potch?
Triplebyte can be 100% fined by EU, there are such previous cases where HQ is out of EU but they are serving EU citizens.
GDPR is very clear in wording that it doesn’t matter whether company has offices in EU or not, only thing that matters is if company is providing services to EU citizens.
That's not correct. You can pursue damages outside of your jurisdiction through a process called "domestication". Generally speaking US courts will enforce judgements from other countries with a legitimate legal system.
I'm not an expert in the direct applicability of GDPR, but my understanding is a European, living in Europe at the time this change happens (but who was perhaps doing an online job hunt, considering a move) might still be covered. Admittedly this is an edge case, but it's not one I'd want to risk in the era of extraterritorial enforcement of various privacy laws.
I was reading about GDPR last week (since CouchSurfing was another company that turned scumbaggy and put up a paywall that one couldn't even access one's own account to delete it without paying a subscription), as I understand it, it only applies to people who were in the EU as the data collection occurred.
No, it covers EU citizens' data fully no matter where they are or where the data is. It may also cover non-EU citizens when in Europe which is perhaps what the article you read was referring to or had misunderstood.
It seems slightly unclear, but generally a lot of interpretations seem to be focusing on the location of the person. An American buying something in a European airport is protected by GDPR during their fleeting pass-through of the "GDPR zone".
https://www.hipaajournal.com/does-gdpr-apply-to-eu-citizens-... seems to suggest it is based on location. There would seem to be standing for anyone based in Europe that made an account when considering a move to the US, or who is based in Europe next Friday when the "data processing operation" occurs. That seems like it would give them standing, even if they weren't protected while overseas, as this is a new data processing operation.
Please don't make your team work on a U.S. holiday weekend for this. Just don't hit the deploy button on this change and now there's no deadline and no need for crunch.
I don't want a public profile of any kind on your website.
There isn't a spin you're going to be able to put on this that's going to change that what you're doing here is diametrically opposed to my goals. You knew that, which is why you tried to sneak it past everyone.
The problem isn't that people think what you're doing is unethical. The problem is that what you are doing actually is unethical.
For now. What about the future? I just don't trust any company which changes the agreements without asking for my consent. In this case I just want to close my account and delete all my data. Seems like impossible. In Europe after making things like this they could end in jail for breaking GPDR rules. In US it looks like it's fine to gather user's data, sell them without consent, and then forbid to close accounts. And there are always people who repeat "the company is fine, they have right to do it". Except they don't.
Your site is a job search site so the fact that someone has an account means they have been job hunting. This is not like Stack Overflow or Hackernews that you seem to like comparing the profiles to. StackOverflow may have job search functionality but it started as primarily something not related to a job search so my having an account there doesn't mean I have been job hunting.
Your SO account was also never private, didn't contain "test scores" for job skills, and was never a repository of sensitive information about you that you only allowed them to have because you trusted them to keep it private.
I've seen some epic CEO fuckups but this one is special.
Just the fact that someone used your service is a signal for their current employers, it might be used against employees during lay-off rounds as interpreting it that they are 'on the market'. In the current employment climate that is super dangerous. I strongly urge you to reconsider this re-use of data, especially for EU citizens where all use other than the one for which the data is gathered is illegal. See also: GDPR, specifity as well as the section on mandatory opt-in for future use.
Note that you are opening yourself up to major legal and financial liabilities, besides the obvious personal ramifications, ie: you're on the record as a sleaze unless you handle this with velvet gloves from here on in.
What you're doing is wrong and unethical, period. Do the right thing and walk back this ridiculous plan. Until then, I will do everything I can do to avoid your service and have others in my network do the same.
> 25(2). The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons.
You may wish to consult your privacy attorneys; you'll likely be the subject of a number of GDPR complaints considering the above.
My interpretation of the above if you were to do it within the letter of the law (again, talk to your attorneys; I'm just a security director):
1. opt-in via settings page (or a modal on next login) for all people who already have accounts.
2. opt-in during registration for all people who choose to register accounts after the roll-over date.
Again, talk to your attorneys. If you successfully roll over without having taken the suggestion to talk to your attorneys, your conversation with your attorneys may change from "how to best implement this" to "how to avoid getting fined."
Same here. It's annoying that a technical aptitude test that I took when I was a freshman in college might now be publicly viewable as a benchmark for my skills.
And I know the e-mail says that results will only be shared if you did well. But, if you have a profile on TribleByte and there's no signal on your profile that you did well, the only logical conclusion is that you did not do well.
I'll be deleting my account, anyways. I didn't ask for this.
Similarly, I took a test in a language I’m not very familiar with to understand the process. I’m not terribly embarrassed, but I don’t want that publicly available.
See I did fantastic in the interview, but the interviewer was a noob :/
Edit: To be fair in their survey i think i said something like this sounded good, but it was phrased as "be part of an exclusive club of competent engineers" rather than "show current employer you're interviewing because you clicked on a banner add. And my whiteboard code had a bug.
What makes you think anything on your TripleByte profile was ever "private." It was not. It was merely hidden from the majority of the world. If you have a TripleByte profile, presumably, at some point, you were job hunting, and likely advertising that fact to anyone you thought could help you.
> What makes you think anything on your TripleByte profile was ever "private." It was not. It was merely hidden from the majority of the world. If you have a TripleByte profile, presumably, at some point, you were job hunting, and likely advertising that fact to anyone you thought could help you.
Are you arguing for this change? Whatever the argument is seems to be based on misinterpreting 'private' as 'known by no-one else'. Exactly the same argument could apply to e-mail: it's not private in the sense that no-one else sees it, just hidden from the majority of the world; presumably, when you sent it, you were advertising what it said to the recipient.
> GDPR 25(2). The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons.
You have become a class 'A' manipulator. I thought I could see through people's crap. But you take the cake.
Thankfully I felt "odd" when I signed up for your "interview" test and never fully finished it.
Also, you single handedly brought me out of hiatus from commenting on HN.
What you have done with this decision is a friggin stab in the gut. If you think your foolish "it's only X we are making public! Not Y!" means something other than "oops, we got caught, how do we cover this up?!" then you are deluding yourself.
YOU are not in a position to determine what will or will not undermine me at my employer or my business partners. You can still fix this. Make it opt-in for existing users and opt-out for new users. Simple.
I am very glad that I sent you all a rude message requesting my account deletion a few years ago, this is an awful response to a huge issue. Good luck with the recruiting business when no one trusts you!
