zlacker

[return to "Tell HN: Interviewed with Triplebyte? Your profile is about to become public"]
1. gansty+u5[view] [source] 2020-05-23 05:29:35
>>winsto+(OP)
This is horrible, what a breach of trust. I used TB to stealthily interview for jobs, had a good experience. Recommended them to others. Now I see that if I hadn't seen this post, I wouldn't have known about this and those details would have been public, which had the potential to seriously undermine me at my current position. I'll opt out tomorrow, but according to others it sounds like the visibility link was somewhat hidden. At least with this they're well on the way to becoming the next LinkedIn, at least by their practices. What a dark pattern.
◧◩
2. ammon+Pa[view] [source] 2020-05-23 06:36:03
>>gansty+u5
Your Triplebyte profile will NOT contain any data/details about you or your job search that will undermine you at your current employer. We should have included a screenshot and more details in the email. I'll talk to my team about following up with more details tomorrow. We are talking about a lightweight profile, like your Stack Overflow or HN profile, to provide us the canvas to release badges. That's it.
◧◩◪
3. g_p+Eo[view] [source] 2020-05-23 09:07:05
>>ammon+Pa
Regardless, this breaches GDPR by making data public and accessible to an unlimited audience by default.

I hope (for your sake) that you don't have any users that can invoke their GDPR rights against you by virtue of their citizenship.

For the sake of incentivising companies to do the right thing, however, I hope you do have some EU or UK citizen users who do litigate or have their data protection authority investigate and formally punish Triplebyte, even if only to establish clear precedent here for the future.

◧◩◪◨
4. im3w1l+pp[view] [source] 2020-05-23 09:14:47
>>g_p+Eo
Triplebyte is only targetting Americans afaik.
◧◩◪◨⬒
5. dirtyd+Dq[view] [source] 2020-05-23 09:27:48
>>im3w1l+pp
I'm a European in Europe and seem to have a triplebyte account
◧◩◪◨⬒⬓
6. g_p+7x[view] [source] 2020-05-23 10:54:29
>>dirtyd+Dq
In which case, it sounds like at the moment they carry out a "data processing operation" to make your data public, you would have standing to make a formal complaint to your local data protection authority.

Article 18 restriction of processing can apply here. Art. 25 "Data protection by design and by default" would seem to be relevant as well. The section I alluded to above is the latter half of 25(2), saying "In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons."

There's also the question of whether their consent or other grounds of processing suffice, which likely wouldn't for making anything public, but Article 25 makes it clear enough anyway this is illegal.

◧◩◪◨⬒⬓⬔
7. joseph+NC[view] [source] 2020-05-23 12:04:54
>>g_p+7x
I am not a lawyer and this is not legal advice but ... I don’t think the European government has legal standing to fine triplebyte. Triplebyte doesn’t have offices, employees or customers in Europe.

A European visiting the US and interacting with an American business does so under the protection of US law, not EU law. This is complicated in the case of Facebook and google because they also do business in Europe, so European courts can fine their European branch offices. But Triplebyte has no such EU presence that the European courts could pursue. And they don’t advertise European jobs. I suspect an EU citizen interacts with triplebyte legally the same way they would if they went to a cafe in SF while on vacation.

The opposite would be crazy. If triplebyte can be fined by the EU, that would also mean the government of Australia or China or Russia could arbitrarily levy fines against any US company if one of their citizens interacted with a US website one time. And everyone would put geo blocks on their websites to protect from liability.

◧◩◪◨⬒⬓⬔⧯
8. g_p+lT[view] [source] 2020-05-23 14:36:29
>>joseph+NC
Not a lawyer, not legal advice either, but the GDPR approach to extraterritoriality is somewhat interesting. The presence of offices or employees isn't a strict requirement by law. The law, as written, would seem to apply to a US entity serving EU customers. But international law probably wouldn't facilitate doing anything about that.

Of course there is a question about how you could enforce such a ruling. And if it can't be enforced, is it really a sanction? I guess if countries wanted to take this really seriously, they could get a list of company officers and put immigration flags on those individuals, and hold them temporarily upon trying to enter that country, until the matter was resolved. But that would be rather extreme, and you do raise some good points around which countries can fine the companies of other countries.

CCPA from California seems to have some cross-border implications as well - perhaps we will finally see a framework for privacy laws that works better than today's hotch-potch?

[go to top]