It’s like saying “Your Tinder profile will NOT contain any data/details about you or your dating search that will undermine you in your current relationship.”
I saw your email in my inbox but didn't read it. I never would've noticed with improved screenshots or not. Do you read every email you get?
You are literally taking private data and making it public without consent.
I would suggest you step away from any scripts and turn on the company ears. Simply explaining what is going on more “clear” and repeating it more often probably won’t get you anywhere good.
Why does this make your users uncomfortable? How can you work with them to achieve your product goals without undermining your relationship with them?
Good luck!
Literally just make it opt-in.
I've learned this lesson personally. Trying to be "clear" about my own perspective while ignoring what the other person feels.
"You don't like what you see? Impossible, you just can't see it. Let me make you see!"
Triplebyte as founded isn't working so they're trying to take a valuable asset they have (engineers looking for jobs) to compete with linkedin
The problem with bootstrapping a linkedin competitor is the same chicken-and-egg problem with networks generally. You need people on it for people to join it.
What Triplebyte wants is your identity public. That's the product goal. The problem is that opt-in won't get them that. What are the incentives for anyone to make theirs public?
How many people who were searching for a job without telling their company are going to opt-in to make that public?
Most certainly not enough to bootstrap a LinkedIn competitor.
So someone had the idea to move fast and break things, either:
a) hoping no one would notice
b) hoping the fallout wouldn't be bad
c) not caring that the fallout would be bad
d) not knowing that there would be fallout
none of the above are particularly inspiring. It does seem hard to miss this coming
Note that you are opening yourself up to major legal and financial liabilities, besides the obvious personal ramifications, ie: you're on the record as a sleaze unless you handle this with velvet gloves from here on in.
https://en.wikipedia.org/wiki/General_Data_Protection_Regula...
I hope (for your sake) that you don't have any users that can invoke their GDPR rights against you by virtue of their citizenship.
For the sake of incentivising companies to do the right thing, however, I hope you do have some EU or UK citizen users who do litigate or have their data protection authority investigate and formally punish Triplebyte, even if only to establish clear precedent here for the future.
If your new service is of true benefit, it will be used.
What this means in practice is you can't default anything containing personal info to being public by default.
I think that's the real issue: timing. The only time this can work is when someone has just resigned or joined a new company, so they can (and are actually willing to) "legitimately" pump up the volume about themselves.
So make it an easy opt-in triggered by these events. Any triplebyte candidate that "closes the deal" should get opted-in automatically. Anybody without an ongoing work relationship, should get opted-in automatically. Everyone else, you hold fire until something significant happens publicly, at which point you gently prod them. You can even ask, when someone signals they are looking for a job, "do you want your profile public at this time? It's a pretty cool thing! If not, no biggie, we'll ask again once things change."
It's not rocket science to do this respectfully and it's sad that they didn't.
Time frame is also very important. Example, a user has been with the company for over a decade, but the product has only been around for a few years. Or if one of the "achievements" was a test that was added recently.
Another way to look at it: either you're a replaceable cog, or you're essential to running the business. If you're essential, they're going to do whatever they can to keep you. If you're replaceable, they probably don't care that much whether you in particular stay or go, but it will certainly cost money to replace you, which they'd rather avoid spending.
Only a completely irrational company would cut someone loose just because an online profile with that person's name on it appeared somewhere.
None of the users care. Just because something is convenient, doesn't mean it's right.
On that note, I wish one day we'll stop letting startups get away with dishonest behavior (e.g. astroturfing) and dark patterns done for the sake of "solving the chicken-and-egg problem". Building a network is hard, tough shit. Doesn't mean you should build your company on lies and disrespectful treatment of your users from the start.
But what if you didn't have one yesterday, but you do have one today? What if you have only worked for one employer since TripleByte was founded (2015)? What if the only place you've worked is a startup of which you're a cofounder?
If you can't think of a way in which a privacy leak can have consequences, that doesn't mean there aren't any.
Article 18 restriction of processing can apply here. Art. 25 "Data protection by design and by default" would seem to be relevant as well. The section I alluded to above is the latter half of 25(2), saying "In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons."
There's also the question of whether their consent or other grounds of processing suffice, which likely wouldn't for making anything public, but Article 25 makes it clear enough anyway this is illegal.
https://www.hipaajournal.com/does-gdpr-apply-to-eu-citizens-... seems to suggest it is based on location. There would seem to be standing for anyone based in Europe that made an account when considering a move to the US, or who is based in Europe next Friday when the "data processing operation" occurs. That seems like it would give them standing, even if they weren't protected while overseas, as this is a new data processing operation.
"In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons."
Am I misunderstanding you? If you "get opted in automatically", then it's no longer opt-in; it's opt-out.
A European visiting the US and interacting with an American business does so under the protection of US law, not EU law. This is complicated in the case of Facebook and google because they also do business in Europe, so European courts can fine their European branch offices. But Triplebyte has no such EU presence that the European courts could pursue. And they don’t advertise European jobs. I suspect an EU citizen interacts with triplebyte legally the same way they would if they went to a cafe in SF while on vacation.
The opposite would be crazy. If triplebyte can be fined by the EU, that would also mean the government of Australia or China or Russia could arbitrarily levy fines against any US company if one of their citizens interacted with a US website one time. And everyone would put geo blocks on their websites to protect from liability.
And I know the e-mail says that results will only be shared if you did well. But, if you have a profile on TribleByte and there's no signal on your profile that you did well, the only logical conclusion is that you did not do well.
I'll be deleting my account, anyways. I didn't ask for this.
Are you arguing for this change? Whatever the argument is seems to be based on misinterpreting 'private' as 'known by no-one else'. Exactly the same argument could apply to e-mail: it's not private in the sense that no-one else sees it, just hidden from the majority of the world; presumably, when you sent it, you were advertising what it said to the recipient.
You may wish to consult your privacy attorneys; you'll likely be the subject of a number of GDPR complaints considering the above.
My interpretation of the above if you were to do it within the letter of the law (again, talk to your attorneys; I'm just a security director):
1. opt-in via settings page (or a modal on next login) for all people who already have accounts.
2. opt-in during registration for all people who choose to register accounts after the roll-over date.
Again, talk to your attorneys. If you successfully roll over without having taken the suggestion to talk to your attorneys, your conversation with your attorneys may change from "how to best implement this" to "how to avoid getting fined."
I'm guessing it's because their corporate metrics took a dive due to covid hiring slowdowns and now they need to justify their worth to investors who have put in $50 million.
GDPR is very clear in wording that it doesn’t matter whether company has offices in EU or not, only thing that matters is if company is providing services to EU citizens.
Me: Thing You: I hate that thing Me: You don’t understand Thing. Here’s Thing explained. You: I understand Thing, I still hate it. Me: You don’t understand Thing. When you understand it, you’ll like it. (Repeat)
Sometimes this is stupidity thinking that understanding is missing, but I think it’s usually shady just so they have something to say to counter the objection that is visible to people outside the conversation, who are interested, and at least see some form of technical interaction.
Of course there is a question about how you could enforce such a ruling. And if it can't be enforced, is it really a sanction? I guess if countries wanted to take this really seriously, they could get a list of company officers and put immigration flags on those individuals, and hold them temporarily upon trying to enter that country, until the matter was resolved. But that would be rather extreme, and you do raise some good points around which countries can fine the companies of other countries.
CCPA from California seems to have some cross-border implications as well - perhaps we will finally see a framework for privacy laws that works better than today's hotch-potch?
There isn't a spin you're going to be able to put on this that's going to change that what you're doing here is diametrically opposed to my goals. You knew that, which is why you tried to sneak it past everyone.
The problem isn't that people think what you're doing is unethical. The problem is that what you are doing actually is unethical.
I own my own business. I'm not looking for a job. Unless something goes really horribly wrong, I won't be looking for a job in 24 months, or ever. Having my profile public doesn't add to the signal on their platform, it adds to the noise. Having my profile public is a waste of time for me, them, and employers looking for someone with my skills.
The Tinder analogy is imperfect because of that, but it's still a good illustration of how just the existence of a profile can destroy your plausible deniability.
I've seen some epic CEO fuckups but this one is special.
Is there another big use case that I'm missing from their product? Interested in hearing your interpretation of a person that has a profile on an interviewing service. My assumption would be the main objective of a user signing up for a service would be using the main product the service provides.
If they made the initial launch opt-in then that signals that the user deliberately chose to advertise that to the world. The message a current employer gets out of something that's opt-in instead of opt-out is notably different. This is just like the whole opt-out fiasco with the Do Not Track header. If it's opt-out, the signal is largely meaningless. In this case that's a benefit.
From TripleByte’s perspective it is a PR disaster, or at least we should treat it as such. Appealing to TripleByte’s internal moral compass is unlikely to succeed since they’ve demonstrated that they don’t have one. So we resort to appealing to their self-interest, since that is something they care about.
Nonetheless, I don’t find very much wrong with what they do, in general, or what they’ve done here. Do you think because I have a dissenting opinion, I must necessarily be some kind of shill. Come out and say it, if so.
In the sense of a likely reason for someone to draw an inference: Most people do not specifically seek out excuses to take tests, and do so only because they want something that the test provides them with, such as access to a job-hunting platform. Most people who want access to a job-hunting platform want it because they are job-hunting or plan to be soon.
It definitely is.
In order for this to hold, there would have to be objective ethical claims which were independent of what people thought about ethics.
> Your public profile includes any badges you've earned, your basic info (current job title and company, current location, and years of experience), and the tech experience & resume section.
This information can very easily be used to identify a person, especially at smaller companies.
> ... to provide us the canvas to release badges. That’s it.
So before you were taking on LinkedIn, but now it’s just a place to release badges?
[0] https://triplebyte.zendesk.com/hc/en-us/articles/36004382061...
Edit: To be fair in their survey i think i said something like this sounded good, but it was phrased as "be part of an exclusive club of competent engineers" rather than "show current employer you're interviewing because you clicked on a banner add. And my whiteboard code had a bug.
The technique seems super common now, and I’ve been expecting to run into it in some communications training, but haven’t yet.
I feel like there’s some crisis PR tactics this fits into that involves “Never disagree, redirect and ignore.” It diffuses criticism and makes it hard to argue.
It seems related to when I see a complaint on a review site that’s been responded to with “I’m the manager, please call me.” It doesn’t resolve the issue, but it shows that someone is doing something, so it diffuses pile on because it stops complaints of ignoring customers.
Thankfully I felt "odd" when I signed up for your "interview" test and never fully finished it.
Also, you single handedly brought me out of hiatus from commenting on HN.
What you have done with this decision is a friggin stab in the gut. If you think your foolish "it's only X we are making public! Not Y!" means something other than "oops, we got caught, how do we cover this up?!" then you are deluding yourself.
I have absolutely no interest in helping companies who pull shit like this recover from their PR disasters. If you do something like this, you deserve all the bad press you get.
But whether these particular business people have a moral compass or not is irrelevant to whether we should be discussing this as a moral or strategic mistake:
1. If they have a moral compass, then the strategic mistake pales in comparison to the ethical mistake, and they'll get that. We should be encouraging people to listen to their conscience, not teaching them to equate their conscience with selfishness.
2. If they don't have a moral compass, then we shouldn't even be talking to them, we should be talking to each other about how we dis-empower them and remove them from positions where they can do harm. Even if we persuade a narcissist or sociopath that it's in their best interest to do the right thing in one situation, they'll just be presented with a new situation where they think it's not in their best interest to do the right thing. If they really are just bad people, they should be treated as the blight on society that they are.
I’m not going to pronounce any absolute judgment or certainty about this, but I think it’s a serious possibility for us to consider.
> If they don't have a moral compass, then we shouldn't even be talking to them, we should be talking to each other about how we dis-empower them and remove them from positions where they can do harm.
I won’t ever use TripleByte again; will you?
> Even if we persuade a narcissist or sociopath that it's in their best interest to do the right thing in one situation, they'll just be presented with a new situation where they think it's not in their best interest to do the right thing.
I never accused anyone of being a narcissist or sociopath. Those are relatively extreme conditions. I’m simply describing people who have bad intrinsic moral character. And the world is filled with these people. As a society, we elicit good behavior out of these people by creating and applying incentives. It turns out that PR is one such incentive. Laws are another.
I could explain more but honestly James Clear has done a far better job here: https://jamesclear.com/why-facts-dont-change-minds
