Tell HN: Interviewed with Triplebyte? Your profile is about to become public

1543 points by winston_smith ↗ HN
Fortunately this email made it through my spam filter. Looks like they want to take on LinkedIn and are planning to seed it by making existing accounts public unless you opt OUT within the next week:

Hey [redacted],

I’m excited to announce that we are expanding the reach of your Triplebyte profile. Now, you can use your Triplebyte credentials on and off the platform. Just like LinkedIn, your profile will be publicly accessible with a dedicated URL that you can share anywhere (job applications, LinkedIn, GitHub, etc). When you do well on a Triplebyte assessment, your profile will showcase that achievement (we won’t show your scores publicly). Unlike LinkedIn, we aim to become your digital engineering skills resume — a credential based on actual skills, not pedigree.

The new profiles will be launching publicly in 1 week. This is a great opportunity to update your profile with your latest experience and preferences. You can edit your profile privacy settings to not appear in public search engines at any time.

Our mission is to build an open, valuable, and skills-based credential for all engineers. We believe that allowing Triplebyte engineers to publicly share their profiles and skills-based credentials will accelerate this mission.

Thanks,

Ammon Co-founder & CEO, Triplebyte

604 comments

[ 5.0 ms ] story [ 251 ms ] thread
Seems like an unfortunate decision. Opt-in would have been the more respectable move here.
Maybe, but, depending on how it's implemented, these profiles might technically be "public" but not indexed by Google or have easily guessed URLs. In any case, it seems like the only information this would leak beyond what would be on a LinkedIn profile is the fact that you've taken a TripleByte assessment and done well. That seems pretty innocuous.
No, the profiles have other information too, like what geographical regions you want to work in, what kind of job you’re looking for, etc. This could give away information to one’s employer that they might have preferred to keep quiet. I predict that a nonzero number of people will be harmed, embarrassed or at least inconvenienced by this.
Counterpoint: they may not display everything you see when you log in to TripleByte. You're complaining about something that hasn't happened to anyone and may not happen at all. This time next week, you may have a valid argument, but not yet.
I’d much rather know that now, rather than waiting until after it’s already happened to find out whether or not it’s a privacy violation.
Have you tried asking?
I don’t think I should need to. If a company is going to unexpectedly publish information about me on short notice, the onus is on them to consider the implications and explain what they’re doing.
Okay, so, you're concerned about a potential privacy violation, but won't take steps to find out if there is one to begin with? I don't have a lot of sympathy for that position. Go and fill your TripleByte profile with misinformation if it suits you, I suppose.

Edit: I missed that there's a privacy setting to make the profiles non-searchable. So, I guess you care enough to complain on the internet, but not enough to even ask if there's a privacy violation? Seems like there's a name for that.

Just saw your edit. My emphasis continues to be on unexpected and short notice, with an added obscure (notice that you missed it too) and opt-out. I should not need to be prepared to jump at a moment’s notice any time someone decides they want to “accelerate [their] mission.” (And I am going to opt out—or, more likely, delete my account altogether—but that doesn’t mean I can’t also complain on the Internet.)
And, again, you care enough to complain on the internet about something that may not even be a problem, but not enough to do anything about it for anyone else, or even to find out if there's anything wrong in the first place. And, you would rather complain than simply ask what's going to be displayed. Your virtue signaling earns you no points here, not that I think it matters to you.
There is very obviously something wrong at this point; reading Ammon’s responses to this thread has been enough to tell me that. I’m not sure what you expect me to do for anyone else; I can tell my Congressperson that I advocate for GDPR-like legislation, but since I didn’t accept the job offer I got from Triplebyte it’s not like I can change their site to turn this launch off for everyone else.

(I’m also baffled by your comment about virtue signaling. I’m publicly stating my opinion, yes, and given the number of upvotes I’m getting there seem to be people who agree with me; but my primary goal is not some sort of social signalling, but to respond to you in order to clarify my stance on the situation.)

The whole point is that they shouldn't have to ask...
If this inspires you to delete your profile, according to the help section, the only way to do it is by emailing candidate.support@triplebyte.com.
You can delete your account via https://triplebyte.com/privacy-center.
This doesn't seem to work. I requested to delete my profile but I didn't get a confirmation email. However, when I requested to make my profile invisible I immediately received an email confirmation.
Clicked on the delete confirmation link, yet I can still login just fine?
There was another site that had 30 day deletion policy, but if you logged in during the 30 days then deletion was automatically cancelled. Squirrelly behavior obviously.
I think that's what's going on here. Got another email today letting me know that my request to delete my account is complete, yet I could reset my password just fine.
(comment deleted)
This is awful. And announcing this late on a Friday is what news organizations call “taking out the trash,” publicizing something when people aren’t paying attention.
Really sorry that you think this is awful. Certainly do opt-out. I think that taking on LinkedIn and creating a better engineering resume is a good thing to do. I can assure you that the Friday announcement is a result of our team grinding to hit a planned release week, not anything other than that (I would have loved to get this out earlier in the week)
Maybe you should have considered the timing more carefully rather than rushing to keep it in the sprint? Pushing it out last minute just makes you sound desperate rather than shady, which isn’t much of an improvement.
And this should have been opt in, not "opt out within a week or else we'll dump your info and association with us onto the internet."
>I think that taking on LinkedIn and creating a better engineering resume is a good thing to do.

Clearly and obviously not the part people are upset about. Cmon mate.

Isn't this breaching GDPR regulations along with a host of others?
(comment deleted)
Pity to see this downvoted, yes it is!
There seems to be a strong urge on this forum to downvote anything that informs users of the things GDPR does to help them, most likely because a large portion of the people on this forum have a vested interest in being able to abuse users in ways that go against the GDPR.
If Triplebyte doesn't operate in a jurisdiction that makes them subject to GDPR enforcement, the comment is more misleading than helpful.
Really sorry that you are completely tone deaf.

You're not taking on LinkedIn, you're just trying to get a bigger piece of that good ole dark pattern pie.

Please consider making this change opt-in rather than opt-out. Imagine an employer finding someone's profile and seeing a mismatch between their qualifications on Triplebyte versus what they might have said in an interview, and having a negative impact on their prospects.

I do think it's an urgent matter and something that can and will come to bite you later- HN Is how I found out myself and I don't really think right now is the moment to play silly games with people's privacy, and not everybody may keep in touch with Triplebyte after their assessments.

> I would have loved to get this out earlier in the week

You didn’t launch anything. All you had to do was edit the “1 week” part of your email and you could have sent earlier

Also, are you genuinely surprised by this backlash? Did you really think making people’s info public was going to be a popular decision? It’s hard for me to understand how common sense doesn’t prevail in this situation.

Hey Ammon, the idea is good, it's solid. Nothing bad there. I think everyone knows LinkedIn has it's issues. But like come on. Why make everyone's private job search public? by default no less!?

How can we trust triplebite with our career, finance information and personal information when you pull these kinds of moves. Make a good product. If it's actually good people will sign up.

We're not making anyone's job search details pubic. All that the profile will show is that an engineer created a Triplebyte profile at some point in the past, and any badges they earned.
“We aren’t making anyone’s subscription status public. All that their profile will show is the fact at some point in time they registered an account on Pornhub with their email address and real name, and any badges they earned.”
(comment deleted)
(comment deleted)
It'd be helpful for you to spell out what exactly will be public. Even the simple fact that a so-and-so has a Triplebyte profile might be an unwelcome involuntary public disclosure to that person, if they're a current user who didn't read your email and fails to opt out. The (possibly unintended) lack of upfront clarity regarding what exactly will be public by default is also not helpful. Software engineers are probably more likely that other members of society to have strong opinions and expectations about their online privacy, and are probably more likely to be upset if they feel those expectations are violated.
I had added TripleByte to the list of resources to use on my next job hunt, that was a mistake.

I have made a note of this singular action along with your repeated refusal in this thread to acknowledge the harm you are causing.

People don't want their current employer to know about their job searches, period. There's a difference in magnitude between this and the Ashley Madison leak, but it's the same concept. Having a profile at all is a clear sign to your current employer. It doesn't matter what you were doing with it or when you created the account.

Given your demonstrated propensity for making previously private information public, shouldn't we evaluate your claim as "We're not making anyone's job search details public yet."

I wonder, what future value will you find by giving away more private information? I know by this example that you won't even wait for the consent of your users before you exploit their private information.

All over this thread you are responding about the details not being public.

The existence of the job search itself is the issue. I'm not sure what's not getting through about that.

Because they are pivoting which is a nice way of saying failing.

Now if this blows up there is an even bigger target on Ammon's back and he may be panicking. That or he is a scumbag. Could be both.

If you’re playing defense you’ve already lost. Listen to your customers.
The primary reason people sign up with your service is job search. Having a profile most likely indicates job search and will certainly be interpreted as such by many managers and employers, I expect.

It’s like explaining to your spouse of 5 years why you have a profile on a dating site that started 3 years ago.

Hi, I've had the same job for ten years. You were founded later than that, so my current employer knows I used it while working for them.

Is that OK with you?

Imagine that you are the CEO of Ashley Maddison making this argument...
Which is enough to identify people who are looking for a new job.
> We're not making anyone's job search details pubic. All that the profile will show is that an engineer created a Triplebyte profile at some point in the past, and any badges they earned.

You are totally missing the point. You think the change significantly improves your product, but your users perceive the change as a massive breach of trust. Why? Because the underlying JTBD (job-to-be-done) for a lot of engineers is discreet job searching. IOW, for a lot of people, a public TB profile would be like having a private Ashley Madison profile [0] exposed to the public. Ashley Madison was a major source of embarrassment for many when they suffered a breach.

Rather than double-down, might be time to step back a bit. The aphorism "the market's perception is your reality" is especially instructive.

[0] The Ashley Madison metaphor used by this commenter is especially apt: https://news.ycombinator.com/item?id=23280782

It’s the Zuckerberg playbook.

There will be some other time in the future where you’ll have to come back to opt out again.

Deletion of your account will be a soft delete, with the account popping back up again and again like a weed.

The sooner these types run out of VC money the better.

That ammon would even consider doing this proves that he's no better than linkedin anyway. What a fool.
Why is a government ID required for account deletion process - you never asked for it during the registration process?
(comment deleted)
I think everyone here would agree taking on Linkedin is a very good thing to do, especially Triplebyte who was already in a good position and fairly well considered here.

But not this way, not forcing all of your users into a public profile by default and making them provide gvmt ids to delete their accounts. Your users gave you their data for a specific purpose, and you took it and used it totally differently. This seems like a great violation of GDPR BTW.

I am from EU, I live in Switzerland and I can tell it clearly is a GDPR violation. I’ve just sent a reply email and a account deletion request. The govt ID thing is shady, given the fact that they never requested it at sign up and that wouldn’t serve as a proof. I hope they will delete my account by the mentioned 30 days or I will fill a lawsuit. Besides common sense, privacy and trust do not work like that, at least in Switzerland and in EU. As a user, I would have been so happy to be informed about this important step (which is actually exciting) of a company I liked. And I would have been so happy to be actively involved and engaged in this step by being guided into discovering the new features / roadmap and THEN make my own decision about the opt-in. That would have been a huge win-win. I am wondering if it’s a lack of common sense or the pressure or VC funding here. That’s a pity for what I’ve considered a good company, and I hope they will revert this decision.
>I hope they will delete my account by the mentioned 30 days or I will fill a lawsuit

AFAIK unlike the CCPA, there's no private right of action for the GDPR. That is to say, you can't actually sue the violators yourself, you need to complain to your country's national data protection authority, and they have to take action.

Crunchbase tells me that you have raised $50m. This means you have someone who runs your communications and you hopefully have some kind of PR or crisis management firm on retainer or at least in your Rolodex.

Call them on the phone right now before you make more bad decisions.

Ah the good old physical Rolodex! You can rely on that not to make itself public in 7 days.
Your comment made me buy one on eBay. I’m going to use it for a telephone operated jukebox.
> Really sorry that you think this is awful.

Classic non-apology apology. You should not be sorry that he thinks it is awful, you should be sorry that it is awful.

Nobody cares about how much work you put into what amounts to an illegal disclosure of personal data.

Indeed. That's on par with:

"I'm sorry you're an idiot."

Not an apology, an insult, and feigning to be apologizing about you (which is doubly insulting).

Idk why you were downvoted, this is totally true.
You apologize for your actions, not because someone had a reaction to something you did. I suggest therapy.
Sera HN: Please don’t downvoted these kinds of replies from relevant people.

They are super interesting given the link, so why try and hide them?

I think few people are interested in responses other than "we will stop doing that"
Downvotes aren't supposed to be "I don't like you" buttons. This is literally the man who wrote the email responding to the thread about the announcement. Regardless of how anyone feels about the response this should absolutely be the top comment on this thread. I shouldn't need to turn on "showdead" and highlight the comment just to read statements directly from the horses mouth as it were.
A downvote represents my displeasure with the non-apology apology.
Sure, but it also hides a very interesting part of the conversation.

Use your downvotes to hide irrelevant posts, not to display your disagreement. (It won’t really display anything)

The Internet craves a good dumpster fire every once in a while, with truly evil company actions, tone deaf non-apology apology CEOs, and a certain future collapse.

Thanks for the entertainment!

Does it matter what you think here though? Your customers gave you their data under one pretense, why do you think you can ethically change that pretense without discussing it with your customers? Said another way, you entered into a business deal with your customers and unilaterally changed the terms. I feel like if someone did that to you, you would be upset as well.

People in this thread have carefully laid out the dark patterns you are using to trick your customers into allowing you to try and make more money. This is wildly unethical, and coming to defend it on here shows us clearly that you have not thought about this from any perspective but your own.

Good luck with your company, you’re going to need it.

"you entered into a business deal with your customers and unilaterally changed the terms"

This just jumped out at me. Doesn't every agreement/TOS document these days say they can unilaterally change the terms at any time and your only recourse is to stop using the service?

I mean, I guess my point is not that it's ok, but that it emphasizes how "agreements" in our society don't seem to be actual agreements and we go around with the certainty that most will never be enforced, but then people don't always agree.

As with most of these cases, the legal text and the social understanding vary quite significantly. From a legal perspective I would not be surprised to find out that Triplebyte is in the clear here (IANAL). But from a social perspective, they are quite obviously in the wrong.
Hard to find the opt-out button. You have to sign in, go to your "profile builder" [0], and then click the very low contrast "Visibility settings" button just below the top of your profile.

[0]: https://triplebyte.com/candidates/profile_builder

Thanks for this, there is no way I would have ever found this without your post. It definitely seems like this link is intentionally hidden.
Wow, it's like it's following every dark pattern in the book. Wouldn't have found it out myself.
It's a master class in dark patterns. I guess they figure this will be good in the long run, but I'll never trust anything from Triplebyte or Ammon Bartram after this.
And to delete account you have to email them.
Easier to find the "delete account" link...

https://triplebyte.com/privacy-center

It takes 30 days for any of these, actions to take place, but the window in which it was announced is a week. Something seems off.
And you need to have logged in already for the delete to work, after which you get an email to approve the request which ends up with this notice of requiring government id as well. Govt Id, really, what are they thinking here?

```

We're processing your request and should be done within 30 days.

We will verify your request using the information associated with your account. Government identification may be required and we may ask you for more information in order to verify your identify.

```

Triplebyte has definitely been the worst experience I have ever had, in fact they are so bad, i would rate them below the other unprofessional recruiters we all come across!

This corresponds to the 30 days allowed for GDPR:

"Under Article 12.3 of the GDPR, you have 30 days to provide information on the action your organization will decide to take on a legitimate erasure request. This timeframe can be extended up to 60 days depending on the complexity of the request"

I deleted my account today and will issue a GDPR request if It doesn't get deleted.

Problem is, you'll never know. Companies simply append 'deleted' to your email address or other data in your record. This then makes the system reply there is no account.

You think it's actually gone while they still have your data. You should do the GDPR request no matter what and hope they're honest in responding to that...

I did this exactly right now and super pissed on what they are trying achieve by this jumping around the hoops
Thanks, I could not find this link when I logged into the app. I would have assumed this option would be under the profile page.
Talking about dark patterns, the email was sent after 5:00pm on a Friday before the long week-end.

Triplebyte team knew that their users were not going to like it and did their best to slip this through.

Triplebyte went from being a respectable company helping skilled hackers by-pass white-board interviews to being a prime example of unethical tech company in one stroke.

They've been sketchy since inception. I was in a very early batch, if not the first, in 2015.

Remember that the premise was that they were non-adversarial, anti-gotcha interviews, whiteboards, nit-picky algo implementations from memory, etc. They purported to do some qualitative analysis instead.

We schedule a session and I get the confirmation: "This is a chance for you to go into more depth, and show us something that you've built. This will not be a high-pressure interview." I get at email the day before our scheduled session that says, "Remember that we're going to talk to you about a project that you've worked on," as agreed.

The following day, just a few hours before our appointment, a founder emails me saying, "Just wanted to give you a quick heads up that rather than walking through a project today, you'll be doing some programming together with an engineer."

They duped me into an adversarial interview. That kinda thing grinds my gears, but I went along with it anyway. I get the response: "We really enjoyed it and thought you did great. We'd love to talk more with you and invite you to a second technical interview."

I opted out as this continued. They acknowledged that they were changing things around without telling people, but it was just so antithetical to the mission that it became disingenuous.

When you pair that attitude of disregard with fact that they're playing sociologists, it's a bad look.

Anyone else just get another unsolicited email from them?

Subject: Triplebyte explained, from coding quiz to job offers

"Hey there, I'm Tyler, one of the engineers here at Triplebyte!"

This hours after opting out, setting privacy options, and deleting account.

Crushing it guys...

Hey everyone. Happy to answer any questions about this. Basically, we think that LinkedIn profiles don't do a good job of showing engineering skill (especially for self-taught people or people from non-traditional backgrounds). I'm excited to just build better support for showing side projects and GitHub contributions. LinkedIn profiles have become the default engineering resume (despite the fact that most engineers are not particularly happy with their LinkedIn profile). But there's lock-in. I hope that we have enough scale to be able to chip away at this.
Please do not turn it into another Rolodex and competition for connections. It’s bad enough to know that connections could be mined through inference, but I’ll be leaving the second I find out you are turning into a social network.

A nicely styled resume and showcase should do the trick nicely.

This should absolutely be opt-in, not opt-out.

Were people that originally interviewed aware before their interview that their profile would become public at a later date?

I interviewed with them last year, and just got this email. There may have been some of the usual boilerplate about “publish, disseminate, or publicly perform your content in order to provide our services” somewhere (actually, I recall a surprising lack of legalese) but there was absolutely not any attention drawn to the possibility that my profile would be shown to anyone other than the companies looking at the round of candidates I was included in.
I didn't even "interview", just took one of their tests out of curiosity to see how I did. The announcement was especially unwelcome news given that I'm not even looking for another job.
The objection seems to be that this is automatic, with opt out, instead of with opt in. Another commenter makes the point that the opt out button is difficult to find. Those are the issues you should address.
I have a hard time not believing that the opt out button is hard to find on purpose.
Anybody know where the fuck the opt out button is? I literally can't find it on mobile

Edit: For anyone else struggling to find it, look for the box with the heading "Profile URL". There's a link in the upper right corner of the box that says "Visibility Settings". It's light grey text and kinda hard to notice that's a link.

Just for anyone else, if you're forcing users to opt out of something like this it should be a BIG BUTTON AT THE TOP OF THE PAGE.

How do you justify opt-out versus opt-in for publicizing this info? Do you not see the potential harm in "ammon is looking for a job" showing up to someone you work with?
They did, but they weighed this against launching with X thousand “active” profiles and decided it was worth the outrage. $GROWTH
When are you going to be available outside the US? If you were going to offer the service how much would it cost to have you do the interview/skills assessment as a service if you’re not going for other markets any time soon?
If I opt-out and make my profile non-public, what kind of information in the profile will still be public?

Because, in the "Visibility" link in the profile builder says: Your public profile will be invisible and will not appear in public search engines. This simplified version of your Triplebyte profile showcases your technical achievements based on actual skills, not pedigree (it does not contain your score details, job status, or preferences). Turn your visibility “ON” in order to share your unique Triplebyte profile URL on job applications, LinkedIn, GitHub, and other platforms.

However, "Learn More" says the URL will be inaccessible when not Public. So, which is it?

Thanks for coming to answer questions here even though you’re likely to get dragged through the mud for this decision.

FWIW, I agree with other commenters that this is a betrayal of trust but I don’t have anything original to add.

Well, sorry that you feel this way. I don't agree right now (clearly). But I'll certainly take this seriously and think more about it/listen to feedback. We're talking about relatively basic profiles, to give us the canvas to launch public achievement badges (that we hope allow us to better help people who don't have traditional credentials). My view, building this, is that we're not displaying anything more private than hundreds of other companies. Stack Overflow has public profiles. Hacker Rank has public profile. AngelList has public profiles. Even HN has public profiles. We are launching public profiles for a product that has not had them in the past, and I get that that's a more sensitive thing to do. What we've focused on to keep that from harming anyone is what data we include in the profiles. I wish we'd include more details about that in the email.
All of these companies have opt-in profiles. When you sign up for the service, you can tell already what you’re getting into and what will be displayed. As far as I’m aware, none of them started as an unrelated service that suddenly announced they were going to make a public site and seed it with information from anyone who’d ever interacted with them.
First off, thanks again for taking the time to speak with us on HN.

I think you’re missing/avoiding the issue that people might want to hide the very fact that they have a Triplebyte account at all. It implies that they have job hunted in the last 5 or so years, and someone who’s been at a single company for longer than that might not want that information to be available.

I work at Google, and I can tell you as a fact that our Privacy Working Groups would never let us launch something like this without explicit user consent.

Google did something significantly worse -- and spent ages apologizing for it and never really recovered from the reputation hit, and I suspect that negative impressions Buzz gave people were a contributing factor to G+'s total failure.
> and I suspect that negative impressions Buzz gave people were a contributing factor to G+'s total failure.

Absolutely.

Google+ became really nice towards the end, but HN kept hating it, and I guess partly because of Buzz.

(comment deleted)
Wow...

> Google Buzz publicly disclosed (on the user's Google profile) a list of the names of Gmail contacts that the user has most frequently emailed or chatted with.

Google Buzz is something you definitely don't want to be similar to.

The difference is that people expected their relationship with Triplebyte to be private, and not a public matter. A lot of people do not even want the fact that they're on the platform to be public. Like it or not there's a cultural expectation of "people have Linkedin all the time even when they're not necessarily job hunting," a level of leniency and acceptance that does not apply to Triplebyte (which is currently viewed as a "I want to get a job now" website)

I have had a really positive experience with Triplebyte so far but hope your team can understand the root of what is bothering people about this decision.

I've always wondered if people who use corporate doublespeak like this realize how transparent they are.

Why not just say "We think we'll make more money by sharing private information our users trusted us with, without their consent." Then at least I think you'd get points for candor and honesty. As is, no points for either and everyone reading knows what you mean.

By the way, is it true you require a government id to delete your account? If so, why?

You mentioned Hacker News in passing. HN has public profiles indeed, but most of them don't have much information. Either people don't want to fill them out or they don't care to, possibly because they just want to do other things on HN (like post comments or upvote articles and comments.) The way public profiles work vary from service to service, as does people's expectations regarding those profiles. From what I've read, it sounds like public profiles haven't been Triplebytes focus, but users are now upset that they're being brought into focus or given more exposure than they ever expected before (assuming people are correct in the fears they've been expressing here.)
Also, most HN profiles use pseudonyms. the profile might be public, but the connection to a human being isn’t.
You are not Stack Overflow. You are Ashley Madison.

Outing people who trusted you to help them find a better job in secret will go very badly for you.

I predict lawsuits.

The difference between what you are doing here and the other public profiles you mention is consent.

When a user creates a profile on Stack Overflow or Hacker News, they are consenting to share whatever data they give on that particular platform.

When a user created a profile on Triplebyte, up until now, they were consenting to that data being used in a private profile for the purpose of connecting them with job opportunities, privately. Now, you've emailed all of your users on a Friday evening to say "by the way, if you don't opt-out in the next week, we will take this data that you gave to us under the assumption that it would be private, and make it public (and potentially searchable)."

By saying "we'll do it unless you say no", you are not getting consent.

If you're familiar with the tea analogy of consent, a la https://www.youtube.com/watch?v=oQbei5JGiT8, this would be like you saying "well, other users (not necessarily every user, or you, the user in question right now) have had tea (not necessarily the same type of tea) from other platforms. This is just like that. So, if you don't say no to our tea in the next week, we're going to drop the tea on you. We hope you enjoy!"

You are not just "launching public profiles for a product that has not had them in the past", you are launching public profiles and on them you are _sharing data that was given to you under the agreement that it was private_. You are using data that folks gave you in a very, very different way than for the purpose they gave it.

Finally, just to really drive this home, you say "What we've focused on to keep that from harming anyone is what data we include in the profiles."

And, what data is that? What personal data, given under the agreement that it would stay private, won't harm someone if made public?

Full (presumably legal, or at least professional) name, coupled with profile picture (presumably a clear photo of their face) and, I'm guessing, also the locations they said they were looking for a job in? Although, fine, in most cases sharing that data is mainly annoying and trust-breaching, that combination of information can be devastating if leaked. Consider a person who has escaped an abusive ex-partner, and has managed to keep private about what new city they've moved to, now popping up in a Google search for their name that has their picture and the fact that they're looking for a job in Los Angeles. This person probably isn't your core user-base, but stories like this are real, they happen, and if you get enough users, they will be among your real life user stories. You have to consider user stories like this when you are trusted with personal information.

This ain't it.

You're exposing job searches publicly that were supposed to be private. You advertise this privacy when users create new accounts, so you can't play dumb and pretend that somehow over years of running a company like Triplebyte it never occurred to you that folks don't want their search made public.
A public stackoverflow/github/angellist profile does not leak information to my employer that I'm seeking new opportunities.

Tripebyte is fundamentally different and dangerous there.

It make no difference whether you're sorry that people feel that way. It's the wrong thing to do - you're going to hurt people doing this.

It make no difference that it's a fantastic opportunity for you and Tripebyte. It's not what you told people when they signed up and entrusted you their names and jobseeking. It's the wrong thing to do - and only lawyers are going to end up benefiting.

I've read several of your, "I'm sorry you..."

How about an "I'm sorry I..."

Take responsibility for your own actions.

> Stack Overflow has public profiles. Hacker Rank has public profile. AngelList has public profiles. Even HN has public profiles.

Come on now, these examples are not even remotely similar to what you are doing here.

Firstly, it's up to me whether or not I even create a profile on those sites.

Secondly, if I choose to create a profile, I have full control over what is shown publicly.

What you are doing here is making information public whether I like it or not. This is not OK, and you trying to defend it here is mind boggling, and demonstrates clearly what little regards you have for privacy. I for one will now never have anything to do with TripleByte.

(comment deleted)
(comment deleted)
It's so disappointing that you cannot see how blatantly wrong what you're doing is.
An employer wouldn’t fire me for having an HN or AngelList account.
An honorable employer wouldn't. Even honorable employers can have HR staff who are not.
> Even honorable employers can have HR staff who are not.

I disagree. HR reports to the CEO, just like everyone else. If the CEO tolerates HR (or any department of the company) being dishonorable, the entire company is dishonorable.

> Stack Overflow has public profiles. Hacker Rank has public profile. AngelList has public profiles. Even HN has public profiles

This seems so obviously disingenuous to me. You know why Triplebyte is different, right? You understand why employees would want to keep the fact that they have a Triplebyte account secret instead of public, right?

If you do know that answer, then you should recognize that you're betraying the trust you created with the user. If you do know why Triplebyte is different, then you're lying to us here.

If you do not know why Triplebyte is different why on earth are you the CEO of a recruiting company. That's absolutely unforgivable.

This one sentence gives away that you're either lying to us or willfully ignorant and careless about your users. Either way, I'll never trust you again.

Dude, the default for profiles should be private. Allow users to opt-in to a public setting, if they prefer.

You are making a huge mistake and going to drive your company to ruins. Change it now.

I'm less concerned than everyone else about this, but I do think it's ridiculous that we have one week to opt out and we can't even preview what you're going to make public right now.
I’m having a similar gut reaction. I just got the email and had I missed it (which is entirely possible since Triplebyte has been bombarding me with erroneous newsletters), I’d have a by default publicly visible profile. Just went in and turned the visibility off.

The roll out of this needs to be handled better, with extra care given to privacy settings, and verbiage on the profiles.

For example, Triplebyte has the following language - ‘I am currently open to new opportunities’, heh, yeah, please, show that on my public profile while I have an existing job.

A robust technical assessment site focused on tech is good, especially if it is nuanced in assessing people (not hard cut offs, finding strengths and weaknesses on a spectrum, etc), but please, take good care of privacy and clear communication.

Right! How can you share anything about your desire to find a new job without recruiters seeing it? And then, how do you make sure that the platform somehow excludes your current employer's recruiters? As with Ashley Madison, where you might find your spouse looking for you. So the privacy concern is a bit overdone, but nonetheless, the company's behavior is a bit shocking. If the CEO thought the users' profiles were as good as public, why not communicate that well to the users to begin with and later float the idea of making profiles truly public?
What’s the next step from here? Public profiles themselves aren’t very useful in of themselves.

Asking as someone who has been on the platform for a while but has not found any success through it. I have other thoughts but would like to hear your plans before adding.

We plan to add more engineering-specific sections to the profiles. I think there's a lot of room to just display what matters to engineers/eng hiring managers better. Then we want to use the profiles to push the industry to look beyond traditional credentials (school, work at top companies). Recruiters say that they want to do this, but we need to get them off of LinkedIn where everything is designed around the traditional credentials.
How's it feel? When is the apology coming?
That’s an interesting thought, but I haven’t seen any change in both attitude and the interviewing process from companies on TripleByte. Do you have any hard numbers showing that companies are willing to walk the walk instead of just talk?
1/2 of the triplebyte recruiters that reach out to me don't even reply
> I think there's a lot of room to just display what matters to engineers/eng hiring managers better.

There's no doubt a lot of truth there.

What matters a lot to engineering managers are the answers to questions like "What other roles is this candidate interviewing for?" "How well did this candidate do in their Triplebyte interviews for our competitors?" "What are the salary ranges of other roles this candidate has clicked on or applied for?"

Will that also form part of every user's public profile, with the same "1 week to opt out, 30 days to enable opt out" process? Or will that data only be available to hiring managers with Triplebyte Premium accounts?

You know what, it's clear that you've put a lot of thought into this from the product & strategy side, and these are genuinely great ideas with significant potential social impact that are worth exploring further.

But it really is a shame that from this incident, myself and many others will no longer be willing to trust you and your team with the data needed to execute on these ideas.

At the end of the day, we entrusted you with extremely sensitive data in order to use your service that could threaten our very livelihoods if exposed. Your choosing to expose this data without explicit opt-in shows an alarming lack of empathy for your users and that you were never deserving of this trust.

why ignore the legal precedent? it's more than personal opinion in every sense of the word, it's an already hashed-out question that had a very clear consequence. "Recruiters say" doesn't even come into the conversation -- this has been tried before. do you have a legal team? do you pay them more than pocket change? god help you, but at a certain point you chose to ignore the book
Please make this opt-in and not opt-out.
well if they have European users they basically have to make it opt-in
Not really. Depending on what you mean by European users, GDPR may not apply here (if GDPR was what you were alluding to).
Gdpr 100% applies here to any user residing in the EU, and as one I find it appalling that this is opt-out. Further, I couldn't find an option to delete my account, which is another clear violation of GDPR. I wonder how long before they get hit with a juicy fine.
Yeah, my understanding is that if they did not make an attempt to block EU citizens from using the site then GDPR does apply. The problem is that IIRC, when I was singing up they were explicitly serving only few cities in the US. Might be misremembering though, it was a while back.
Do you think American anti-hacking/DMCA/etc laws do not apply to people living overseas? (like Gary Mckinnon for example).

Corporations don't get to choose, either laws apply or they don't apply internationally.

If I recall correctly, the corporations that explicitly do not aim to serve EU citizens (and make reasonable attempts to block them) do not need to follow GDPR. Then there's a matter of enforcement - I don't think EU can do anything to a company that does not have any presence in the EU. IANAL, but I am an EU citizen living in the US so it would be great if I'm mistaken here. :-)
Lock-in to your platform sounds even worse than LinkedIn.

How long before we all get an apology email, "Upon careful reconsideration...", 72 hours?

It'll be "We heard our community's feedback.". "Many of you responded passionately to our announcement.".

God damn corporate spin pretending nothing bad ever happens..

What a foolish decision to make. Knowing what you know about HN users, did you expect that this would go well? You can pretty much assume that Triplebyte will be persona non grata henceforth, especially as word spreads that you are publicly exposing people and only giving 1 week to opt out.

Extremely foolish and really shines a bad light on your decision making capabilities. Why would I put my trust in a company that is so shady?

You will change this bad decision and apologize, but you have betrayed the trust of all the people who have used you. Even if you change your policy now, we know you will change it back in the near future. No one will use your services again, because of this betrayal. You just killed your entire company in one fell swoop.

I’m shocked that someone associated with YC could make such a demonstrably poor decision.

A lot of people go through YC and while their filter is better than most I assure you this is hardly the most shockingly stupid thing I've seen someone in YC do, ever heard of Meta? That was a dumpster fire from start to finish.
I'm interested in knowing whether you surveyed at least some of your users (random ones, who aren't coworkers or acquaintances) what they thought about the change you just announced. I can understand that as a company you may wish for secrecy before you make a strategic move such as this one, but this sounds like the kind of change that'd be good to ask users about before doing it. Or maybe this didn't seem like a controversial move to you guys? (If so, bummer, but I hope you can still prevent or fix a potentially serious mistake.)

FWIW, I hadn't heard of TripleByte before, but this is not a good way of hearing about it, nor would it encourage me to become a user, if people's fears match what you're actually planning to do. If they're correct, it sounds like you're about to intentionally or accidentally implement a dark pattern. I hope that's not the case.

I can appreciate that it's an exciting opportunity for your business, but your failure to read the room here seems spectacular. My jaw dropped at each of your responses failing to understand why people were concerned and react appropriately. Hopefully there's something in the explanation of new functionality that's been missed and it's a misunderstanding?!
(comment deleted)
I absolutely would have used TB for my next job search, when the time was right.

Now I absolutely would not. Dead simple.

Others have addressed the obvious privacy issues, so let me address your logic on the business side of things. I apologize in advance for the tone, but your move with exposing profiles made me angry. Good thing my TB profile is fake (and performs worse than my actual, real life resume despite all the embellishments)

1) There is no lock in - I can move on and off LI whenever I want, and have. I've exported my data and used it to create my own resume site with analytics that I send out to companies. I can see who viewed my CV, when, and whether or not they actually read through it or bounced immediately.

I've also learned to track the progression of my candidacy through the organization using this trick (recruiters tend to view my CV on their Windows desktop during work hours, hiring managers tend to check out resumes in the evening on their iPhones or Macbooks, engineers/tech leads tend to use Macbooks, desktop Macs or Android phones in the morning or during lunch time. Usually when I've hit the engineering lead I tend to get invited to interview).

It's extremely easy to create your own CV website for free (github/lab pages) that's versioned by git and deployed automatically using a CI script.

2) You're attacking the tech hiring problem from the wrong angle, like everyone else. There is no issue with discovery of candidates and employers. LI and stackoverflow, etc do a great job of approximating this O(N^2) exposure process, the filtering and sifting. The ACTUAL problem is on the hiring end - companies won't take a chance on non-traditional candidates (not talking about race and gender here, more about credentials).

You have to start by chipping away at the costs of showing competence for a candidate (the traditional way to do this is to get a three- or four-year degree that's either expensive in terms of time and money, or useless, and if you get a degree with a low score, doubly so, even though you might be a better programmer than the people who scored over 90%).

This will only happen by convincing hiring orgs to hire non-traditional candidates, and this requires establishing a very strong signal/noise ratio for candidates coming from your hiring channel. Before you start PRing me about how great TB is at this - no it isn't. Not any better than leetcode etc, and those are terrible at predicting engineering competence.

"used it to create my own resume site with analytics that I send out to companies. I can see who viewed my CV, when, and whether or not they actually read through it or bounced immediately"

I'd be super interested to learn more about how you did that.

Google Analytics
Geeks don’t dislike LinkedIn because the formatting isn’t right, they dislike it because of the dark patterns. If that’s the measure with which you’re trying to compete with LinkedIn, it’s safe to call this one a win.
You're missing the point by focusing on the job search information specifically.

Any information provided without a clear understanding that it would be made public should not now be made public by default, even if it is just a name and some badges.

(posting from a throwaway account, but long time HN user).

Well, I was just about to go through your process, since you announced that you are opening to remotes (I'm in the EU), but now I've requested that you delete my profile. No way I want my current employer to know I'm looking, especially in the current climate where job hunting is difficult.

As other people have mentioned, you now have a deeper problem than entering a new market. You just broke your users trust.

And the sad thing is that this was a real opportunity, because linkedin sucks. Unfortunately what you failed to realise is that there is appetite to switch from linkedin to a more honourable company. Not to an equally or more dishonest one.

Most likely your staff were trying to warn you about this from the beginning, and it would be worth your time reflecting on why you didn't take note of that more deeply.

I know you are looking for actionable routes to save your company right now. In my opinion, the loss of trust is so bad that only a pretty costly signal will now cause people to reevaluate. The one that springs to mind is for you, Ammon, to announce that you are stepping down as CEO and starting a search for someone who is committed to privacy to take on the role.

I have a triplebyte account and would love for you to take on LinkedIn, but it absolutely needs to be opt-in. Sorry if that makes things inconvenient for you, but I’m going to delete my account if you go through with this.
You can’t unilaterally decide to give me a public profile; that is a trust ruining decision that you’ve made.

If you gave me the option to make one, we could talk. But by making that decision for me, I now have to view you as a fundamentally un-trustworthy party.

It would have been more productive to say nothing and just plow on, than attempt these comments.
Employees require discretion and privacy when they are searching for a new job. Do you need us to enumerate the reasons for this? This new approach is unethical and completely tone-deaf, at best.
I think it would make more sense to make this opt-in. For instance, I set my profile not to be displayed a while back, but when I checked on this new thing, it was set to make at least some part of the profile public by default.

Keep in mind that Triplebyte profiles have no reason to exist except people looking for work, and that most people have a reason to want to be sure that a current employer does not have an easy way to find out that they're looking for work. I can have a HN account and it doesn't make anyone think I'm looking for work, but if an employer sees my profile on Triplebyte, it tells them at the very least that I was at some point looking for work. If they see it on Triplebyte after having previously not seen it, it tells them that something changed recently.

I would definitely think this should be an opt-in thing.

get lost dude. your org has been parasitic since day 1.
>"Basically, we think that LinkedIn profiles don't do a good job of showing engineering skill...:"

So that's your bar, a growth-hacking dumpster fire?

>"LinkedIn profiles have become the default engineering resume (despite the fact that most engineers are not particularly happy with their LinkedIn profile)."

No they haven't. You know what the default engineering resume is? The one you have on your hard drive that you share at your discretion.

I'm quite surprised at how oblivious you seem to be of the issue of user trust.

You just lost any trust and goodwill that Triplebyte built up with myself or any of my engineer friends.

Here is that problem: people gave you their data because you told them that you would make it available to companies that were NOT our current employers or the general public. None of us agreed to let you post the fact that we were actively seeking employment.

You betrayed our trust and are using data none of us agreed you could use in the way you are using it.

Isn't this basically a GDPR violation as you didn't acquire consent for sharing data with such purpose(public display of a profile)?
No one asked you to broadcast our progress on your platform or participation in it. I made sure to not only make my account not look it's mine, I used every control to lower its impact on my footprint and pushed my peers to.

From today onward Triplebyte has established its place in the lexicon as a ghetto self-serving linkedin wannabe. Good job.

I'm curious about why this post appears to be on it way to being flagged off of the home page. It's valuable information and is likely very relevant to the HN community. Thanks for the heads up @winston_smith.
It is off the homepage again.
It set off the flamewar detector. We review submissions that are affected by that software, and turn it off for threads that aren't flamewars. I've done so for this one. Other than that, moderators didn't touch this post or (as far as I know) even see it.
Hey that's neat, I didn't know HN had a flamewar detector. How does it work? Content matching and post frequency?
Might be depth of comment branches and ratio of upvoting and downvoting to comments?
I know at some point there was a penalty attached to articles that had more comments than upvotes.

This struck me as incredibly unnatural, since I frequently comment and very rarely upvote an article. I don't really see what the one metric has to do with the other.

But apparently everyone else has a different model of HN in mind.

I think there's a lot of variance in the way people use HN (I don't upvote stories much either, though plenty must, given the vote counts we see), but dang has had plenty of time (i.e., nearly 8 years in the job) to observe what combination of upvotes, comments and other behaviour may indicate a possible flamewar.
I’m sure some heuristic that combines comments per hour, average thread length, and ratio of comments to upvotes could do a pretty good job detecting flame wars in a community the size of HN.
(comment deleted)
This is horrible, what a breach of trust. I used TB to stealthily interview for jobs, had a good experience. Recommended them to others. Now I see that if I hadn't seen this post, I wouldn't have known about this and those details would have been public, which had the potential to seriously undermine me at my current position. I'll opt out tomorrow, but according to others it sounds like the visibility link was somewhat hidden. At least with this they're well on the way to becoming the next LinkedIn, at least by their practices. What a dark pattern.
> if I hadn't seen this post, I wouldn't have known about this

To be fair they sent an email to everyone who had signed up; I received the same email.

My problem with this is the automatic opt in, using my profile and details for more than I intended for them to use it for (regardless of whether I technically signed something staying they _could_ do this, it is borderline unethical to use my information for this purpose), only having a week to "opt out", and not knowing what opt out even does. Sending an email to everyone doesn't cure any of these points.
Not to mention that the only reference to needing to opt-out is a veiled mention buried in the second paragraph. I skimmed the email briefly, said “oh that’s neat, what a great idea” and filed it under “things for the next job hunt” thinking I’d turn on my profile then.
The link in the email did not work for me: it sent me to my profile, where I was presumably to be able to opt out of sharing my info publicly. But I could not see any way from there. Maybe I'm blind. As usual, googling worked better to find something on the site than using the site itself. Googled: triplebyte opt out -- that linked me to the right place. https://triplebyte.com/privacy-center
If we're going to be fair, we have to acknowledge the history of email over the last thirty years: spam, spam filters, and the "Mark as Spam" button.

Email is what I use to notify my customers of a 25% sale, not to tell them that I'm going to plaster their data all over the internet in violation of the spirit of the service I'm providing. I use regular mail for that.

I'm very much only addressing the small string of text I quoted; I agree it should have been opt-in since many people don't check their email diligently.
I’m not sure using snail mail as the default venue for important information is really the smart play here. I check my mailbox a lot less often then I check my inbox and I don’t even open 99% of the mail I get since I assume it’s just junk. I’m a lot more likely to miss whatever you sent me if you had sent it by post than if you had just sent an email like a normal 21st century organization.
who reads those emails?
Precisely why this dark pattern is so common.
Your Triplebyte profile will NOT contain any data/details about you or your job search that will undermine you at your current employer. We should have included a screenshot and more details in the email. I'll talk to my team about following up with more details tomorrow. We are talking about a lightweight profile, like your Stack Overflow or HN profile, to provide us the canvas to release badges. That's it.
If someone goes from not having a profile to having one, you know they’re job hunting.

It’s like saying “Your Tinder profile will NOT contain any data/details about you or your dating search that will undermine you in your current relationship.”

Exactly. This is basically like the workplace equivalent to the Ashley Madison scandal, only pre-planned.
That's a false equivalence. You're talking about a business relationship versus an intimate personal relationship context.
My point is that just having the profile is data. He can’t predict what impact making this data public will have.
Companies that are worth a shit don't retaliate against people for looking at other opportunities. That's precisely why your Tinder example is not just off base, it's wrong.

Another way to look at it: either you're a replaceable cog, or you're essential to running the business. If you're essential, they're going to do whatever they can to keep you. If you're replaceable, they probably don't care that much whether you in particular stay or go, but it will certainly cost money to replace you, which they'd rather avoid spending.

Only a completely irrational company would cut someone loose just because an online profile with that person's name on it appeared somewhere.

Being fired because you're perceived to be looking for other jobs probably isn't a realistic concern. But being passed up for promotions or missing out on desirable opportunities because you're perceived to be looking for other jobs is a very real possibility, even if you're not easily replaceable.

The Tinder analogy is imperfect because of that, but it's still a good illustration of how just the existence of a profile can destroy your plausible deniability.

> Being fired because you're perceived to be looking for other jobs probably isn't a realistic concern.

It definitely is.

If I had to lay off one of two employees in a role, both do the role fine, but I strongly suspect one of the two has been looking to leave... Which of the two am I keeping?
The type of relationship is different, but the example still holds. Having a profile at all can and likely will be viewed as an indicator of intention to leave the current relationship for a new relationship. This was how it was viewed having a resume profile on sites like Monster and CareerBuilder before LinkedIn made it the norm to have a public resume.

Time frame is also very important. Example, a user has been with the company for over a decade, but the product has only been around for a few years. Or if one of the "achievements" was a test that was added recently.

I have a TripleByte profile. Am I job hunting? This is not a hypothetical. I really do have a profile.
Not necessarily.

But what if you didn't have one yesterday, but you do have one today? What if you have only worked for one employer since TripleByte was founded (2015)? What if the only place you've worked is a startup of which you're a cofounder?

If you can't think of a way in which a privacy leak can have consequences, that doesn't mean there aren't any.

What if I have? How does that imply anything other than that I took a test?
It's a known interviewing service. The implication by many would be that you took the test because you were interested in interviewing.

Is there another big use case that I'm missing from their product? Interested in hearing your interpretation of a person that has a profile on an interviewing service. My assumption would be the main objective of a user signing up for a service would be using the main product the service provides.

After reading your various comments, I have to ask if you have any relationship with Triplebyte and/or its founders beyond merely using the service. And yes, I would greatly appreciate an answer to this.
I do not, other than having interviewed with them. For the record, I would not care to repeat the experience, either. I found the process unnecessarily stressful and not worth the time investment.

Nonetheless, I don’t find very much wrong with what they do, in general, or what they’ve done here. Do you think because I have a dissenting opinion, I must necessarily be some kind of shill. Come out and say it, if so.

I didn’t know one way or the other, which is why I asked. Perhaps the unspoken bias I’m putting on display is the assumption that no independent observer could possibly think their actions were ethical.
In the sense of a logical implication which follows with full logical necessity: it doesn't.

In the sense of a likely reason for someone to draw an inference: Most people do not specifically seek out excuses to take tests, and do so only because they want something that the test provides them with, such as access to a job-hunting platform. Most people who want access to a job-hunting platform want it because they are job-hunting or plan to be soon.

(comment deleted)
You're right -- most people's livelihoods don't depend on staying together with their girlfriend.
How about if you just always have a profile?
You shouldn’t expose a public profile for accounts that were private before anyway. Is that move even legal? I’m pretty sure it’s not GDPR compliant.
Even so, the decision to make this opt-out instead of opt-in is extremely questionable. If it’s just a spot to put badges, why is it so critical that it be rushed through next week? And why are you so carefully avoiding talking about the opt-out when a significant chunk of the people in this thread are telling you that it’s the main thing they’re upset about? “Sorry that you feel this way” is the worst kind of corporate-speak non-apology that makes it clear that you’re apparently not interested in responding to feedback, but just making soothing sounds at everyone until the smoke clears and you get to continue doing exactly what you planned.
> If it’s just a spot to put badges, why is it so critical that it be rushed through next week?

I'm guessing it's because their corporate metrics took a dive due to covid hiring slowdowns and now they need to justify their worth to investors who have put in $50 million.

I don't get why you'd think it's okay to suddenly make private information about your users public. The lesson is not "We should've included a screenshot" but rather "We shouldn't automatically opt our users in to sharing information they thought was private.". This is a betrayal of user trust.

I saw your email in my inbox but didn't read it. I never would've noticed with improved screenshots or not. Do you read every email you get?

Did you read the fine print when signing up? Maybe this goal has been in their fine print for a long time.
From a GDPR perspective, for anyone who is able to lay claim to GDPR protections, it wouldn't matter whether this is written in red on the first line of the agreement - "data protection by default" means that you must default to not sharing with an unlimited number of people.

What this means in practice is you can't default anything containing personal info to being public by default.

Yup. One of the best benefits of GDPR is that you don't have to read the fine print anymore, because companies can't legally put anything abusive in there, at least with respect to processing your data.
Absolutely. Article 25(2) is written for this specific situation, and expressly prohibits opt-out situations where personal data might be made publicly accessible:

"In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons."

So what? Caveat emptor has no place in honest, trustworthy business practices.
>> The new profiles will be launching publicly in 1 week.

You are literally taking private data and making it public without consent.

Hey! Welcome to your first PR disaster.

I would suggest you step away from any scripts and turn on the company ears. Simply explaining what is going on more “clear” and repeating it more often probably won’t get you anywhere good.

Why does this make your users uncomfortable? How can you work with them to achieve your product goals without undermining your relationship with them?

Good luck!

> How can you work with them to achieve your product goals without undermining your relationship with them?

Literally just make it opt-in.

Opt-In doesn't help them achieve their product goals.

Triplebyte as founded isn't working so they're trying to take a valuable asset they have (engineers looking for jobs) to compete with linkedin

The problem with bootstrapping a linkedin competitor is the same chicken-and-egg problem with networks generally. You need people on it for people to join it.

What Triplebyte wants is your identity public. That's the product goal. The problem is that opt-in won't get them that. What are the incentives for anyone to make theirs public?

How many people who were searching for a job without telling their company are going to opt-in to make that public?

Most certainly not enough to bootstrap a LinkedIn competitor.

So someone had the idea to move fast and break things, either:

a) hoping no one would notice

b) hoping the fallout wouldn't be bad

c) not caring that the fallout would be bad

d) not knowing that there would be fallout

none of the above are particularly inspiring. It does seem hard to miss this coming

They could prompt at next login instead
> How many people who were searching for a job without telling their company are going to opt-in to make that public?

I think that's the real issue: timing. The only time this can work is when someone has just resigned or joined a new company, so they can (and are actually willing to) "legitimately" pump up the volume about themselves.

So make it an easy opt-in triggered by these events. Any triplebyte candidate that "closes the deal" should get opted-in automatically. Anybody without an ongoing work relationship, should get opted-in automatically. Everyone else, you hold fire until something significant happens publicly, at which point you gently prod them. You can even ask, when someone signals they are looking for a job, "do you want your profile public at this time? It's a pretty cool thing! If not, no biggie, we'll ask again once things change."

It's not rocket science to do this respectfully and it's sad that they didn't.

> Any triplebyte candidate that "closes the deal" should get opted-in automatically. Anybody without an ongoing work relationship, should get opted-in automatically.

Am I misunderstanding you? If you "get opted in automatically", then it's no longer opt-in; it's opt-out.

Yeah sorry, I should have been more precise: I meant to say that it should get turned on for those users automatically at those times.
But doing it all at once and having it opt-out accomplishes that. If "John Smith" has a public TripleByte profile next week, as a third party the only signal I can get out of that is that "John Smith" passed the TripleByte interview some time in the past. I'd be okay with this if TripleByte gave a couple weeks to opt-out and made certain potentially sensitive information opt-in. Just make it 4 weeks to opt-out and by default don't display the date they interviewed with TripleByte and don't display "Open to new opportunities". Then just ask the user what they want after new interviews and accepted job offers.

If they made the initial launch opt-in then that signals that the user deliberately chose to advertise that to the world. The message a current employer gets out of something that's opt-in instead of opt-out is notably different. This is just like the whole opt-out fiasco with the Do Not Track header. If it's opt-out, the signal is largely meaningless. In this case that's a benefit.

> Opt-In doesn't help them achieve their product goals.

None of the users care. Just because something is convenient, doesn't mean it's right.

On that note, I wish one day we'll stop letting startups get away with dishonest behavior (e.g. astroturfing) and dark patterns done for the sake of "solving the chicken-and-egg problem". Building a network is hard, tough shit. Doesn't mean you should build your company on lies and disrespectful treatment of your users from the start.

They could have made it low friction opt-in. “Click this one button in our email to you and we’ll import your account.”
If their goal is to have my identity public, that's a pretty bad goal--certainly not a profitable one.

I own my own business. I'm not looking for a job. Unless something goes really horribly wrong, I won't be looking for a job in 24 months, or ever. Having my profile public doesn't add to the signal on their platform, it adds to the noise. Having my profile public is a waste of time for me, them, and employers looking for someone with my skills.

> Simply explaining what is going on more “clear” and repeating it more often probably won’t get you anywhere good.

I've learned this lesson personally. Trying to be "clear" about my own perspective while ignoring what the other person feels.

"You don't like what you see? Impossible, you just can't see it. Let me make you see!"

The rhetorical technique that annoys me the most plays out like this...

Me: Thing You: I hate that thing Me: You don’t understand Thing. Here’s Thing explained. You: I understand Thing, I still hate it. Me: You don’t understand Thing. When you understand it, you’ll like it. (Repeat)

Sometimes this is stupidity thinking that understanding is missing, but I think it’s usually shady just so they have something to say to counter the objection that is visible to people outside the conversation, who are interested, and at least see some form of technical interaction.

(comment deleted)
There needs to be a catchy name for this type of interaction. I loathe it as well and it's annoyingly common. Companies that rely on this behavior should be called out repeatedly.
Willful misunderstanding? Confusion redirect? Defray to diffuse?

The technique seems super common now, and I’ve been expecting to run into it in some communications training, but haven’t yet.

I feel like there’s some crisis PR tactics this fits into that involves “Never disagree, redirect and ignore.” It diffuses criticism and makes it hard to argue.

It seems related to when I see a complaint on a review site that’s been responded to with “I’m the manager, please call me.” It doesn’t resolve the issue, but it shows that someone is doing something, so it diffuses pile on because it stops complaints of ignoring customers.

There is already a name for this type of interaction. It's called sales.
Hopefully his last too, as the company goes down in flames. But well, scumbag CEOs usually have parachutes (or Mary Poppinsesque umbrellas?) that take them elsewhere..
Thank you for the calm and instructive response. I was about to hoist my pitchfork but set it aside instead.
I strongly object to characterizing this situation as a PR disaster. The problem isn't that TripleByte is perceived as doing something unethical. The problem is that what TripleByte is doing is unethical.
Just because it is an ethical disaster does not mean it is not also a PR disaster. It looks a lot like both to me, one followed closely by the other.
True, but we're talking about problems here, not things working correctly. The ethical disaster is the problem. An ethical disaster should result in a PR disaster. If an ethical disaster results in a PR disaster, that's not a problem, that's the system working correctly.

I have absolutely no interest in helping companies who pull shit like this recover from their PR disasters. If you do something like this, you deserve all the bad press you get.

You’re not wrong, and as far as you and I are concerned, that is the problem.

From TripleByte’s perspective it is a PR disaster, or at least we should treat it as such. Appealing to TripleByte’s internal moral compass is unlikely to succeed since they’ve demonstrated that they don’t have one. So we resort to appealing to their self-interest, since that is something they care about.

I'm not ready to write people off and conclude that the Triplebyte team have no moral compass. Certainly many business people do lack a moral compass, and they show a lot of the signs. But writing off people as simply bad people is a pretty extreme step.

But whether these particular business people have a moral compass or not is irrelevant to whether we should be discussing this as a moral or strategic mistake:

1. If they have a moral compass, then the strategic mistake pales in comparison to the ethical mistake, and they'll get that. We should be encouraging people to listen to their conscience, not teaching them to equate their conscience with selfishness.

2. If they don't have a moral compass, then we shouldn't even be talking to them, we should be talking to each other about how we dis-empower them and remove them from positions where they can do harm. Even if we persuade a narcissist or sociopath that it's in their best interest to do the right thing in one situation, they'll just be presented with a new situation where they think it's not in their best interest to do the right thing. If they really are just bad people, they should be treated as the blight on society that they are.

> I'm not ready to write people off and conclude that the Triplebyte team have no moral compass.

I’m not going to pronounce any absolute judgment or certainty about this, but I think it’s a serious possibility for us to consider.

> If they don't have a moral compass, then we shouldn't even be talking to them, we should be talking to each other about how we dis-empower them and remove them from positions where they can do harm.

I won’t ever use TripleByte again; will you?

> Even if we persuade a narcissist or sociopath that it's in their best interest to do the right thing in one situation, they'll just be presented with a new situation where they think it's not in their best interest to do the right thing.

I never accused anyone of being a narcissist or sociopath. Those are relatively extreme conditions. I’m simply describing people who have bad intrinsic moral character. And the world is filled with these people. As a society, we elicit good behavior out of these people by creating and applying incentives. It turns out that PR is one such incentive. Laws are another.

The fact that this is the top comment and that folks who trusted you are seeing this email first on HN instead of in their inbox means you fucked up. The details of what trimmings you put on the email were not the fuckup.
For now. What about the future? I just don't trust any company which changes the agreements without asking for my consent. In this case I just want to close my account and delete all my data. Seems like impossible. In Europe after making things like this they could end in jail for breaking GPDR rules. In US it looks like it's fine to gather user's data, sell them without consent, and then forbid to close accounts. And there are always people who repeat "the company is fine, they have right to do it". Except they don't.
Just the fact that someone used your service is a signal for their current employers, it might be used against employees during lay-off rounds as interpreting it that they are 'on the market'. In the current employment climate that is super dangerous. I strongly urge you to reconsider this re-use of data, especially for EU citizens where all use other than the one for which the data is gathered is illegal. See also: GDPR, specifity as well as the section on mandatory opt-in for future use.

Note that you are opening yourself up to major legal and financial liabilities, besides the obvious personal ramifications, ie: you're on the record as a sleaze unless you handle this with velvet gloves from here on in.

https://en.wikipedia.org/wiki/General_Data_Protection_Regula...

I am very glad that I sent you all a rude message requesting my account deletion a few years ago, this is an awful response to a huge issue. Good luck with the recruiting business when no one trusts you!
The message you should have received is that this should be opt-in, not opt-out. You're abusing your users' privacy. Screenshots don't change that.
Regardless, this breaches GDPR by making data public and accessible to an unlimited audience by default.

I hope (for your sake) that you don't have any users that can invoke their GDPR rights against you by virtue of their citizenship.

For the sake of incentivising companies to do the right thing, however, I hope you do have some EU or UK citizen users who do litigate or have their data protection authority investigate and formally punish Triplebyte, even if only to establish clear precedent here for the future.

Triplebyte is only targetting Americans afaik.
I'm a European in Europe and seem to have a triplebyte account
In which case, it sounds like at the moment they carry out a "data processing operation" to make your data public, you would have standing to make a formal complaint to your local data protection authority.

Article 18 restriction of processing can apply here. Art. 25 "Data protection by design and by default" would seem to be relevant as well. The section I alluded to above is the latter half of 25(2), saying "In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons."

There's also the question of whether their consent or other grounds of processing suffice, which likely wouldn't for making anything public, but Article 25 makes it clear enough anyway this is illegal.

I am not a lawyer and this is not legal advice but ... I don’t think the European government has legal standing to fine triplebyte. Triplebyte doesn’t have offices, employees or customers in Europe.

A European visiting the US and interacting with an American business does so under the protection of US law, not EU law. This is complicated in the case of Facebook and google because they also do business in Europe, so European courts can fine their European branch offices. But Triplebyte has no such EU presence that the European courts could pursue. And they don’t advertise European jobs. I suspect an EU citizen interacts with triplebyte legally the same way they would if they went to a cafe in SF while on vacation.

The opposite would be crazy. If triplebyte can be fined by the EU, that would also mean the government of Australia or China or Russia could arbitrarily levy fines against any US company if one of their citizens interacted with a US website one time. And everyone would put geo blocks on their websites to protect from liability.

This may be true, but I have had US websites flat out refuse me access because they detect I'm in Europe.
Triplebyte can be 100% fined by EU, there are such previous cases where HQ is out of EU but they are serving EU citizens.

GDPR is very clear in wording that it doesn’t matter whether company has offices in EU or not, only thing that matters is if company is providing services to EU citizens.

Triplebyte can just forward those fines to the circular file. There is no practical method of enforcement unless they have a physical EU presence.
That's not correct. You can pursue damages outside of your jurisdiction through a process called "domestication". Generally speaking US courts will enforce judgements from other countries with a legitimate legal system.
Sure, they "can." But has it ever happened with GDPR? My gut tells me they'll direct their efforts towards more critical matters.
Not a lawyer, not legal advice either, but the GDPR approach to extraterritoriality is somewhat interesting. The presence of offices or employees isn't a strict requirement by law. The law, as written, would seem to apply to a US entity serving EU customers. But international law probably wouldn't facilitate doing anything about that.

Of course there is a question about how you could enforce such a ruling. And if it can't be enforced, is it really a sanction? I guess if countries wanted to take this really seriously, they could get a list of company officers and put immigration flags on those individuals, and hold them temporarily upon trying to enter that country, until the matter was resolved. But that would be rather extreme, and you do raise some good points around which countries can fine the companies of other countries.

CCPA from California seems to have some cross-border implications as well - perhaps we will finally see a framework for privacy laws that works better than today's hotch-potch?

I'm not an expert in the direct applicability of GDPR, but my understanding is a European, living in Europe at the time this change happens (but who was perhaps doing an online job hunt, considering a move) might still be covered. Admittedly this is an edge case, but it's not one I'd want to risk in the era of extraterritorial enforcement of various privacy laws.
A European living anywhere is covered.
I was reading about GDPR last week (since CouchSurfing was another company that turned scumbaggy and put up a paywall that one couldn't even access one's own account to delete it without paying a subscription), as I understand it, it only applies to people who were in the EU as the data collection occurred.
No, it covers EU citizens' data fully no matter where they are or where the data is. It may also cover non-EU citizens when in Europe which is perhaps what the article you read was referring to or had misunderstood.
It seems slightly unclear, but generally a lot of interpretations seem to be focusing on the location of the person. An American buying something in a European airport is protected by GDPR during their fleeting pass-through of the "GDPR zone".

https://www.hipaajournal.com/does-gdpr-apply-to-eu-citizens-... seems to suggest it is based on location. There would seem to be standing for anyone based in Europe that made an account when considering a move to the US, or who is based in Europe next Friday when the "data processing operation" occurs. That seems like it would give them standing, even if they weren't protected while overseas, as this is a new data processing operation.

(comment deleted)
Not true, I ended up on triplebyte a few months ago as a result of ads, so I also have a profile, and I'm in Europe.
That’s not true. Even if it were, many Americans live in Europe and are subject to GDPR.
Still, please don’t do things that need actual consent in IRL (making something that was private, public)

If your new service is of true benefit, it will be used.

What makes you think anything on your TripleByte profile was ever "private." It was not. It was merely hidden from the majority of the world. If you have a TripleByte profile, presumably, at some point, you were job hunting, and likely advertising that fact to anyone you thought could help you.
> What makes you think anything on your TripleByte profile was ever "private." It was not. It was merely hidden from the majority of the world. If you have a TripleByte profile, presumably, at some point, you were job hunting, and likely advertising that fact to anyone you thought could help you.

Are you arguing for this change? Whatever the argument is seems to be based on misinterpreting 'private' as 'known by no-one else'. Exactly the same argument could apply to e-mail: it's not private in the sense that no-one else sees it, just hidden from the majority of the world; presumably, when you sent it, you were advertising what it said to the recipient.

> GDPR 25(2). The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons.
I interviewed with TB a couple of years ago. Didn't do too great in the technical interview. Is that about to be public?
Same here. It's annoying that a technical aptitude test that I took when I was a freshman in college might now be publicly viewable as a benchmark for my skills.

And I know the e-mail says that results will only be shared if you did well. But, if you have a profile on TribleByte and there's no signal on your profile that you did well, the only logical conclusion is that you did not do well.

I'll be deleting my account, anyways. I didn't ask for this.

Similarly, I took a test in a language I’m not very familiar with to understand the process. I’m not terribly embarrassed, but I don’t want that publicly available.
See I did fantastic in the interview, but the interviewer was a noob :/

Edit: To be fair in their survey i think i said something like this sounded good, but it was phrased as "be part of an exclusive club of competent engineers" rather than "show current employer you're interviewing because you clicked on a banner add. And my whiteboard code had a bug.

Dude, just make it opt-in. It's that simple.
> 25(2). The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons.

You may wish to consult your privacy attorneys; you'll likely be the subject of a number of GDPR complaints considering the above.

My interpretation of the above if you were to do it within the letter of the law (again, talk to your attorneys; I'm just a security director):

1. opt-in via settings page (or a modal on next login) for all people who already have accounts.

2. opt-in during registration for all people who choose to register accounts after the roll-over date.

Again, talk to your attorneys. If you successfully roll over without having taken the suggestion to talk to your attorneys, your conversation with your attorneys may change from "how to best implement this" to "how to avoid getting fined."

Your site is a job search site so the fact that someone has an account means they have been job hunting. This is not like Stack Overflow or Hackernews that you seem to like comparing the profiles to. StackOverflow may have job search functionality but it started as primarily something not related to a job search so my having an account there doesn't mean I have been job hunting.
Your SO account was also never private, didn't contain "test scores" for job skills, and was never a repository of sensitive information about you that you only allowed them to have because you trusted them to keep it private.

I've seen some epic CEO fuckups but this one is special.

I don't want a public profile of any kind on your website.

There isn't a spin you're going to be able to put on this that's going to change that what you're doing here is diametrically opposed to my goals. You knew that, which is why you tried to sneak it past everyone.

The problem isn't that people think what you're doing is unethical. The problem is that what you are doing actually is unethical.

> The problem isn't that people think what you're doing is unethical. The problem is that what you are doing actually is unethical.

In order for this to hold, there would have to be objective ethical claims which were independent of what people thought about ethics.

Please don't make your team work on a U.S. holiday weekend for this. Just don't hit the deploy button on this change and now there's no deadline and no need for crunch.
(comment deleted)
What you're doing is wrong and unethical, period. Do the right thing and walk back this ridiculous plan. Until then, I will do everything I can do to avoid your service and have others in my network do the same.
YOU are not in a position to determine what will or will not undermine me at my employer or my business partners. You can still fix this. Make it opt-in for existing users and opt-out for new users. Simple.
Not according to your own FAQ[0] on public profiles:

> Your public profile includes any badges you've earned, your basic info (current job title and company, current location, and years of experience), and the tech experience & resume section.

This information can very easily be used to identify a person, especially at smaller companies.

> ... to provide us the canvas to release badges. That’s it.

So before you were taking on LinkedIn, but now it’s just a place to release badges?

[0] https://triplebyte.zendesk.com/hc/en-us/articles/36004382061...

Thanks Ammon. I requested to delete my profile (I was trialling to see if we could use your service for our hiring pipeline. Narrator: we will not).
You have become a class 'A' manipulator. I thought I could see through people's crap. But you take the cake.

Thankfully I felt "odd" when I signed up for your "interview" test and never fully finished it.

Also, you single handedly brought me out of hiatus from commenting on HN.

What you have done with this decision is a friggin stab in the gut. If you think your foolish "it's only X we are making public! Not Y!" means something other than "oops, we got caught, how do we cover this up?!" then you are deluding yourself.

It looks like emailing candidate.support@triplebyte.com is the only way to delete your account.
> candidate.support@triplebyte.com

Did they purposefully go out of the way to make this email address unguessable/non-standard/multi-word

support@triplebyte.com is probably for clients.

Source: Candidate, has a very specific marketing meaning, of you being the product.

There’s a lot of things to dislike about triplebyte’s behaviour here, but this particular criticism isn’t fair.

I’ve worked at 3 different companies in the hiring space across two continents and “candidate” is the internal term they all ended up using internally for people seeking jobs. “Applicant” is too vague and “job seeker” is long and hard to scan (and it’s too similar at a glance to “job”, which is also not often used).

If “candidate” has bad connotations for you, I’d love to hear a better suggestion. But I still haven’t seen a more appropriate name for my database table.

Company / candidate / role / resume / profile / interview / offer. These are the terms almost everyone uses.

Not sure we are talking about database tables here. A user friendly email looks like help@xyz.com or support@xyz.com, not candidate.serialize.json@xyz.com
I don't think the parent comment was complaining about the nomenclature. I interpreted it as pointing out that in any hiring activity, the candidate/applicant/whatever is the product. A company pays a recruiting service in exchange for hiring a candidate.

(Of course, the candidate also receives value because presumably they are looking for a job and get one in this transaction. But the whole "you are the product" trope always ignores the fact that the "product" person is receiving value in the transaction).

So I wasn't sure where to opt-out at first.

I clicked privacy center, ( https://triplebyte.com/privacy-center ), couldn't find the option, but chose 'Opt out of Personal Information Sharing' because why not?

After clicking the button I had to click a confirmation email to get this approved. Then it said it would happen within 30 days and I may be required to show govt ID.

Why? I am already verified with my login account. It is not like I am doing something sensitive like changing a password or email. And what is this about needing to show govt id? They have zero reason to need govt ID to opt out of 'Personal Information Sharing' of all things.

Honestly tempted to just delete my profile. (That may also require govt ID.)

Indeed, it does require a gov't ID to delete you profile. Triplebyte is starting to look like Keyser Soze here :)
That’s particularly strange given that they didn’t even need me to show ID for them to get me a job. The first time during the entire process that anyone had any proof of my legal existence was when I filled out my I-9 so I could get a paycheck. They flew me across the country for interviews and invited me to the Triplebyte office for dinner on nothing more solid than my email address and a friendly face.
It’s not strange. It’s artificial friction to make it harder to opt out. It’s obvious they don’t want people to opt out so they make it very difficult to do so. What a shady company.
Yeah, I was using “strange” in a pointedly ironic sense. There’s no good way to spin the juxtaposition between the two standards.
Easiest thing is just to change your name, although obviously it's not perfect.
The solution is simple. Make your profile something they don't want on their site. Link to porn, change your profile picture to porn and so on. It's effective
XD

NightlyDev going straight for the jugular here. I cannot deny the effectiveness of this strategy lol

For what it's worth, I canceled/deleted my account this morning. Took me about 30 seconds to do thanks to this link and about 2 hours later I got an email that it was deleted.

No government ID required.

I interviewed via Triplebyte last year, and thoroughly enjoyed the service. Before this I would have (and did) wholeheartedly recommended them to anyone; the process was great from the candidate’s perspective and I also have confidence in their ability to accurately evaluate candidates’ skills.

After this announcement, though, I’m afraid that faith has completely crumbled. Even if Ammon had showed up in this thread and immediately announced that this was a terrible idea and they were rolling it back immediately, the mere fact that they were considering doing this is a huge blow. It doesn’t help that I skimmed the email when I got it this afternoon and didn’t even realize it was an opt-out; it was only when I saw this thread that I took a closer look and realized that the email was lacking a CTA button at the bottom for a reason. That seems incredibly shady to me and instantly changed my impression of the company.

Take heed, other companies: it only takes an instant to destroy your company’s reputation, and it’s incredibly difficult to win back that confidence.

For what it's worth, this was what happened to me. They regularly send marketing emails and updates, which I skim from time to time. It wasn't until I saw this thread that I realized that one particular email out of the (actually checks notes) 62 (!!!) unsolicited emails they've sent me in the last 12 months was this important.
For me, it seems like the emails picked up a lot in the last 2 months. I attributed this to covid aka a lot of people instantly out of work. The most cynical take is that they increased email frequency so this would be more likely to fly under the radar. I am not even sure I believe that though.
"it only takes an instant to destroy your company’s reputation, and it’s incredibly difficult to win back that confidence."

Not really. Given that nobody on here has identified the underlying problem, and are happy to blame everything on Triplebyte ... it just goes to show how nothing is going to change anytime soon.

Confidence in using this, and other services, will only grow.

I have used Triplebyte before (for the tests! wasn't available in my location yet) and before I was very excited about their eventual launch in my location. I will never use them again now.
I didn't find any good jobs on my last job hunt through them, but was happy enough with the process that I put their little certification widget on my linkedin. Gonna get rid of that now.
Registered on hacker news JUST to post this. I saw this email earlier today, skimmed it and thought "hmm cool they're competing with Linkedin or something" and then immediately forgot. I had absolutely no idea they were going to exploit my data and breach my expectations of privacy to drive traffic to their website (an issue in and of itself). And the part where they tell you to go ahead and opt out is hidden in there! Really not good
"breach my expectations of privacy"

Q: where did these expectations of privacy come from ?

Naive optimism.

There was never any indication our involvement with the company was going to be made completely public.

Others would have similar expectations, from other online services. We expect them to use our data in very limited ways that they've specified, and not suddenly start disseminating it in unexpected ways (if that is indeed what's happening with Triplebyte.)
You’re right. Supposedly the hints have been in the privacy policy since December 2019.

Identifiers, third parties. “ Companies that use our services to be matched with job candidates. Candidate profiles created by our users are accessible to the public. “

https://triplebyte.com/privacy

The expectation of privacy came from the fact that this is a recruiting platform; even mediocre recruiters know that discretion and privacy are critical since leaks about job searches can get people fired.
A lot of complaints below, and not much sympathy from the likes of me on this one.

An entire generation (across all age ranges) has willingly thrown out personal liberty in favour of convenience ... and now the surprise when that turns around to bite.

Honestly, what did you expect ?

I expected Triplebyte to help me find a job. This is what they said they would do—the only thing they said they would do—and they did so admirably. Then some eight months later they dropped a bombshell.

I’m not even sure what your argument is here; are you saying that because “an entire generation across age ranges” (whatever that means) collectively did... something... now companies can indiscriminately trample on everyone’s privacy forevermore, and nobody’s allowed to try to reverse the situation?

I get what you are saying, and yes, those are totally reasonable expectations in any community.

Im just saying - I think its amazing that _anybody_ trusts any of these Silicon Valley organisations to do anything reasonable. They are convenient to use, sure ... but ever trusting them to put your interests above their own. I dont understand how people can believe that.

If you hand over info and put in on their servers .. you dont own that info at all. They can, and will, do whatever they want with it to make another $

The problem is that non-SV companies aren’t generally any better, and frequently worse (cf all the security leaks where they release info that they didn’t mean to publish). The best we can do as individuals is push back against it when we see it happening, and advocate for legislation like GDPR to enforce it legally.

Your original post is poorly worded at best to get your point across; it comes off as a victim-blaming status-quo-advocating cheap quip, which doesn’t add anything to the conversation, either about this particular instance or the general problem.

Way to kill off all the goodwill your company had built in the community. Another money printing company killed by VC funding.
Thank God, I used a fake profile. I sailed the interview to 2nd stage but they couldn’t figure out how to interview a deaf SW engineer.
Is that a difficult problem? I'd be interested to hear what they got stuck on. I guess I naively imagine that in a world of text chat and voice to text it would be pretty doable.
They only initiate that phone call. I’ve explained that I can arrange for an interpreter by my side if they would give me a phone number in which I could initiate the call. But ... nope.
So pure can't-be-arsed by the sounds of it
I was also recently spammed by an ex employee that appears to have ex-filtrated my personal data. I notified Triplebyte and received no response.
If you are in the EU notify your local data privacy watchdog.
Email released the Friday before Memorial Day weekend. What are the odds!
Wow. Plenty of angry people in my circles.

Apparently deletion requires ID or something. Um... thats less good. I vaguely understand why if it was needed to sign up. [addendum: nope!]

Suggest you think carefully about your next step if you have an account. Maybe gibberish your account to whatever extent you see fit, update the email address somewhere less identifying (perhaps sneakemail) and go on with your life. Assume all details will be sold (you mean you didn't already?!)

I think they are out of touch with their userbase. Or they have even more plans their userbase won't like.

Addendum:

There's an option to control public visibility. Opt-out but this is only partial details. I would not rely on that "partial" aspect.

Worse still: if you want to "not be contactable for new opportunities" that only lasts for 24 months at max. You can't select a "not wanting offers at all". Minimum is 1 month.

This means you could be inadvertantly outed as "looking for opportinities" without even knowing it.

> I vaguely understand why if it was needed to sign up.

Nope! Triplebyte flew me across the country, put me up in a hotel, and otherwise arranged a job for me with nothing more than my email address and a phone number. The first time I had to provide ID in the entire process was when I filled out the I-9 form on my first day at the company that had hired me.

Sounds like a good experience. I don't have anything to do with them so color me surprised.

I've got around 150 messages and more within last few hours of our little group - all very unhappy. The irc server #rant channel is getting loud.

Edit: 150 and growing (growling?).

Yeah, up until a couple hours ago I had nothing but praise for them. They made the whole process go extremely smoothly, answered all the questions I had and gave me a ton of advice on the whole process, and their screening process was not only great from the my perspective but also gave me confidence in the quality of all their candidates. Then this happened.
You can't even permanently opt-out of "seeking opportunities". Be careful with that account. Could get you in some trouble depending on employer.
Registered an account just to post this. I used to like this company but it is now dead to me, I will never have anything to do with it ever again and I will urge people I know to stay away from it.

This is abusive and evil.

I did a couple interviews through Triplebyte in 2017 (Purge emails every few years), but can’t remember which email/single sign-on provider I registered with...

Anyone have ideas on how to figure that out without accidentally registering and exacerbating the problem?

don't most SSO providers keep track of that to some degree?

which means you might be able to find it there, other than that maybe try 'forgot password' usually my go to solution.

I tried deleting my account and apparently it takes 30 days for some reason! That looks so shady!

  We're processing your request and should be done within 30 days.

  We will verify your request using the information associated with your account. Government identification may be required and we may ask you for more information in order to verify your identify.

  Any questions? Email us at privacy@triplebyte.com
> Government identification may be required

Ah yes, the classic "send us more of your PII to delete your information." I've ran into that too many times.

It's a horrible way companies try to discourage data subjects from exercising their rights.

This is not lawful under both the GDPR and the CCPA. If Triplebyte follow through with their request against an EU or California resident, they'd be breaking data protection laws.

If comments here are any indication, too many people, being unaware of their rights, may fall for it though.

Well I live in France and will certainly not send them my ID. Lets see how they respond.
This is not lawful under both the GDPR and the CCPA. If Triplebyte follow through with their request against an EU or California resident, they'd be breaking data protection laws.

IANAL, but they may already be in violation of the GDPR with the 30 days processing time. While the GDPR states 30 days as the upper bound, the article about erasure also states:

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies [...]

Notice the phrase undue delay. It seems that the legal interpretation of undue delay is as soon as possible [2]. Since the sign-up for Triplebyte seems to be immediate (you just create an account), they could also remove an account with a simple delete account button (remove some rows from a SQL database). So in the case of most web services as soon as possible seems to be with the click of a button to delete an account itself. Allowing a few more days for changes to propagate through storage systems and backups.

For anything longer, they should probably come up with damn good reasons when this is brought to court.

At any rate, they will have more serious problems if they make citizens public for people in the EU. They'll open up themselves to a huge liability. You are simply not allowed to use data for other purposes than what the data subject gave explicit well-informed consent for. And no, burying somethings in the terms and conditions is not explicit consent.

[1] https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...

[2] https://www.linkedin.com/pulse/term-without-undue-delay-cont...

> This is not lawful under both the GDPR and the CCPA.

INAL, but from my understanding that's exactly what GDPR itself suggests to do:

> The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers.

Thats mainly because [2]:

> There is a very real concern of fraudulent requests from bad actors, who might use a customer’s data for nefarious purposes.

While it's great to know that noone else is able to delete my account, it still feels shady af.

[1] https://eur-lex.europa.eu/eli/reg/2016/679/oj#d1e1374-1-1

[2] https://konfirmi.com/blog/gdpr-personal-data-id-verification...

Is there a privacy preserving alternative to sending a scan of your drivers license/passport? Can you get a notary to attest your identity, and you send them the notarized request?
If the ID wasn't required for the account creation, why is it needed for the deletion?
That's only true if they don't have another way to verify your identity, not if you're logging in to an account using your username and password in order to delete it.
If you are in California, CCPA might be of some help.

Article 4(b) actually states that to verify you you (for a data delete request), they must do their best to use info they already have on you, and "Avoid collecting the types of personal information identified in Civil Code section 1798.81.5, subdivision (d)"

and in 1798.81.5,(d)(1)(A)(ii) we see: "Driver’s license number"

4(c) also helps: "A business shall generally avoid requesting additional information from the consumer for purposes of verification."

So if they can verify you another way, they must, and cannot ask for the DL (likely the only ID many people have)!, if i read that correctly

So instead of jumping through their hoops, file a CCPA request and have them chew on that.

Update for fairness: 11 hours later, I got the email confirming my account deletion. (Without having to provide any ID)
I have a few guesses about this:

1. Triplebyte knew this would cause some outrage, especially on HN and Reddit. 2. Triplebyte did some calculations and predicted that doing this on a Friday and only giving people a week to opt-out would result in the fewest number of opt-outs. 3. Triplebyte assumed that many of those outraged online would delete their accounts. 4. Despite all of the above, Triplebyte calculated that this move would make them more money in the long run.

I’m also guessing that these profiles will serve ads. I bet Triplebyte will offer “premium” plans for both job seekers and employers so that they can directly contact you more easily.

I hope this change incorporates necessary privacy measures for job seekers. I hope that this doesn’t become a 1-to-1 LinkedIn competitor that only seeks to get clicks and ad revenue. Only time will tell. I’m very skeptical but I won’t rage yet. I’ll opt out for now and see how it goes...

> doing this on a Friday

Was it Friday of a three-day weekend? That's one of the best news dump days of the year.

Yep, Monday is a holiday (if you happen to have a job, and have a job that gives paid holidays)
Jesus, what a horrific way to opt out. "Visibility" as the same contrast as text? Great way to kill _all_ motivation to use this company going forward. Weren't they in one of the YC groups?
Was in job search late last year so not much to worry about. But abuse me and you lose me, goodbye triplebyte, we hardly knew each other and never will.
(comment deleted)
Funny how this[1] is their modal when you log in.

[1]: https://i.imgur.com/0J4sVlX.png

Transcription:

> Welcome to Triplebyte

> As part of this exclusive network of engineers:

> - Companies reach out to you

> - You control what companies see

> - Your profile is private

> Now, let’s take a look at your new dashboard.

> [Next]