Tell HN: Triplebyte reverses, emails apology
Email by Triplebyte CEO, Ammon: ---
Hi xxxxx,
There’s no other way to put this--I screwed up badly. On Friday evening, I sent an email to you about a new feature called public Triplebyte profiles. We failed to think through the effects of this feature on our community, and made the profiles default public with an option to opt out. Many of you were rightfully angry. I am truly sorry. As CEO, this is my fault. I made this decision. Effective immediately, we are canceling this feature.
You came to us with the goal of landing a great software engineering job. As part of that, you entrusted us with your personal, sensitive information, including both the fact that you are job searching as well as the results of your assessments with us. Launching a profile feature that would automatically make any of that data public betrayed that trust.
Rather than safeguarding the fact that you are or were job searching, we threatened exposure. Current employers might retaliate if they saw that you were job searching. You did not expect that any personal information you’d given us, in the context of a private, secure job search, would be used publicly without your explicit consent. I sincerely apologize. It was my failure.
So, what happened? How did I screw this up? I’ve been asking myself this question a bunch over the past 48 hours. I can point to two factors (which by no means excuse the decision). The first was that the profiles as spec’d were an evolution of a feature we already had (Triplebyte Certificates--these are not default public). I failed to see the significance of “default public” in my head. The second factor was the speed we were trying to move at to respond to the COVID recession. We’re a hiring company and hiring is in crisis. The floor has fallen out on parts of our business, and other parts are under unprecedented growth. We've been in a state of churn as we quickly try various things to adapt. But I let myself get caught in this rush and did not look critically enough at the features we were shipping. Inexcusably, I ignored our users’ very real privacy concerns. This was a breach of trust not only in the decision, but in my actual thought process. The circumstances don’t excuse this. The privacy violation should have been obvious to me from the beginning, and the fact that I did not see this coming was a major failure on my part.
Our mission at Triplebyte has always been to build a background-blind hiring process. I graduated at the height of the financial crisis as most companies were doing layoffs (similar to what many recent-grads are experiencing today). My LinkedIn profile and resume had nothing on them other than the name of a school few people had heard of. I applied to over 100 jobs the summer after I graduated, and I remember just never hearing back. I know that a lot of people are going through the same thing right now. I finally got my first job at a company that had a coding challenge rather than a resume screen. They cared about what I could do, not what was on my resume. This was a foundational insight for me. It's still the case today, though, that companies rely primarily on resume screens that don’t pick up what most candidates can actually do--making the hiring problem much worse than it needs to be. This is the problem we're trying to fix.
We believed that we could do so by building a better Linkedin profile that was focused on your skills, rather than where you went to school, where you worked, or who you knew. I still believe there's a need for something like this. But to release it as a default public feature was not just a major mistake, it was a betrayal. I'm ashamed and I'm sorry.
Triplebyte can’t functio...
677 comments
[ 3.1 ms ] story [ 200 ms ] threadRather than safeguarding the fact that you are or were job searching, we threatened exposure. Current employers might retaliate if they saw that you were job searching. You did not expect that any personal information you’d given us, in the context of a private, secure job search, would be used publicly without your explicit consent. I sincerely apologize. It was my failure.
So, what happened? How did I screw this up? I’ve been asking myself this question a bunch over the past 48 hours. I can point to two factors (which by no means excuse the decision). The first was that the profiles as spec’d were an evolution of a feature we already had (Triplebyte Certificates--these are not default public). I failed to see the significance of “default public” in my head. The second factor was the speed we were trying to move at to respond to the COVID recession. We’re a hiring company and hiring is in crisis. The floor has fallen out on parts of our business, and other parts are under unprecedented growth. We've been in a state of churn as we quickly try various things to adapt. But I let myself get caught in this rush and did not look critically enough at the features we were shipping. Inexcusably, I ignored our users’ very real privacy concerns. This was a breach of trust not only in the decision, but in my actual thought process. The circumstances don’t excuse this. The privacy violation should have been obvious to me from the beginning, and the fact that I did not see this coming was a major failure on my part.
Our mission at Triplebyte has always been to build a background-blind hiring process. I graduated at the height of the financial crisis as most companies were doing layoffs (similar to what many recent-grads are experiencing today). My LinkedIn profile and resume had nothing on them other than the name of a school few people had heard of. I applied to over 100 jobs the summer after I graduated, and I remember just never hearing back. I know that a lot of people are going through the same thing right now. I finally got my first job at a company that had a coding challenge rather than a resume screen. They cared about what I could do, not what was on my resume. This was a foundational insight for me. It's still the case today, though, that companies rely primarily on resume screens that don’t pick up what most candidates can actually do--making the hiring problem much worse than it needs to be. This is the problem we're trying to fix.
We believed that we could do so by building a better Linkedin profile that was focused on your skills, rather than where you went to school, where you worked, or who you knew. I still believe there's a need for something like this. But to release it as a default public feature was not just a major mistake, it was a betrayal. I'm ashamed and I'm sorry.
Triplebyte can’t function without the trust of the engineering community. Last Friday I lost a big chunk of that trust. We’re now going to try to earn it back. I’m not sure that’s fully possible, but we have to try. What I will do now is slow down, take a step back, and learn the lessons I need to avoid repeating this.
I understand that cancelling this feature does not undo the harm. It’s only one necessary step. Please let me know any other concerns or questions that I can answer (replies to this email go to me). I am sorry to all of you for letting you down.
Sincerely,
-Ammon
You probably split the post up this way because the software told you the text was too long. Tip for the future: you can get around that by clicking 'edit' and adding the rest later. Don't tell anybody :)
Hmm? This just raises more questions about Triplebyte's product development process than answers, especially since privacy is a core product feature.
But I am scratching my head how they could honestly miss the importance of what they were planning to do.. I guess a combination of stress, pressure and usual disregard of privacy by big players clouded their judgement.
To me, that puts them at least in the middle
Malicious
Meh<---
Respectful
I'm sorry that you...
That might have been another bad day at work but whatever it was it really doesn't inspire confidence
Hopefully this reflection is sincere.
Yep, and that privilege may take many forms.
- Secure, well paid job.
- Friends in high places.
- Correct opinions for your area.
etc
I’m just tickled pink that privacy is becoming a feature people care about.
Ah, yeah, if you get too narrow in your targeting, it probably makes more sense to focus on networking than any sort of recruiter.
That said, I saw quite a range when I went through Triplebyte a bit more than a year ago.
I wound up at a company making 3D printers, which has (temporarily) semi-pivoted to make lots and lots of (clinically validated) NP swabs for COVID testing. So social good can show up in a lot of places :)
I don't buy it, and I'll be steering clear.
I still wonder why you tried the infamous "I'm sorry that you cannot understand" line here?
I don't mean to flog a dead horse, but you seem to be intent on digging a deeper and deeper hole.
It's not for you or anyone else to make someone's data public without their consent, because you think it helps them.
> and me to really hear what people were saying
Nobody should need to tell you any of this. If it truely did, then you clearly don't care a jot about privacy, and simply aren't responsible enough to manage other people's data.
A companies ethos and values cascade down from the top, so your attitude towards privacy is especially concerning.
I don't see this in any way as still digging the hole.
As for the rest of your comment, you seem purely to be repeating what he says he now knows. Although others have, I haven't downvoted you, but it feels like you're still being angry about what the situation was, and not trying to adapt to what this situation is.
I agree that there are still legitimate causes for concern, but it's worth taking time to think about what they really are.
I'm not still angry about what the situation was - I believe the only reason this feature was rolled back is because there was a big backlash. I really believe his whole attitude towards other people's data means he isn't responsible enough to store it.
It's exactly irresponsible moves like this that led to the GDPR in the first place (something else contravened by this feature)
I think it's also important to distinguish the idea from the execution. A LinkedIn alternative for developers is a great idea. The problem was the incredibly short opt-out (instead of opt-in) with notice given to users on Friday afternoon of a long holiday weekend.
I somewhat agree, in that the important thing for now is that he did eventually relent. But I'm not convinced he actually listened, so much as relented under pressure. I don't think those values bode well for the company going forward. I certainly hope I'm proved wrong on that.
I'm talking 20 million euros in fines
Second, you really think GDPR is going to be applied to some tiny American startup because they said they might do something and then didn’t?
Third, my understanding is that if you don’t target EU customers, GDPR doesn’t apply. It’s not enough that an EU customer happens to wander into your store. You have to have some accommodation targeting the EU (like translated pages, international shipping, different currencies, etc)
When the regulation does not apply
Your company is service provider based outside the EU. It provides services to customers outside the EU. Its clients can use its services when they travel to other countries, including within the EU. Provided your company doesn't specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.
Source: https://ec.europa.eu/info/law/law-topic/data-protection/refo...
Unfortunately, the real fines are nowhere near the theoretically possible ones.
This is egregious enough that it could have actually resulted in a fine as opposed to a "please don't do that", but realistically, I doubt the fine would get near 100k.
Best case scenario you spend the whole weekend focused on whether the release went right...
Worse you spend the whole weekend cleaning a mess up.
Its pretty much always a lose/ lose.
I said don't release on Friday.
No ones release process is perfect and the best time to find holes in it is when you are just ready to have the week be over so you can happy hour on a Friday.
In this case at least part of the release process that was broken was how it was communicated to users. Now they have to spend the whole weekend putting out this fire.
Why take the chance in a non emergency situation? Enjoy your weekend and do it with a fresh mind Monday morning.
You could also come up with incentives to encourage job seekers to opt in; for instance, you could temporarily tag such users as "likely to get hired sooner" in reports for prospective employers.
Lets start lying to the customers on top of this fiasco.
If @ammon had said, “this will be a great feature,” the devs would keep quiet because they either (1) don’t want to be fired, or (2) trust he knows better than them.
A business saw an opportunity to make more money and took it. A large portion of consumer interests no longer aligned with their interests and we were caught in the crossfire. Fortunately, enough people shared the same concern that the risk for the business (Triplebtye) was now high enough that they had to mitigate fallout.
That's all that happened and all that typically happens. Perhaps Triplebyte management didn't see the risk or misjudged the backlash and expected only a few users to complain. I find it hard to believe this side effect wasn't at least a considered risk brought to to table and ultimately ignored by management looking purely at growth.
Yes, sometimes a shift in a business's goals cease to align with our interests and isn't necessarily meant to be malignant move against us directly, but there is certainly no concern for us in the process unless it is ultimately perceived as more net profitable.
This is why we should be quite careful as to what we allow business ownership over/access to and remember that profit seeking cost optimizations are only useful to us while they're aligned with our interests. Whatever behaviors we allow businesses to pursue without enough repercussion to care, they will pursue seeking profit: a proverbial "cost of doing business."
When a business's profit seeking interests are misaligned with ours or run counter opposite to our interests, we're in for a fight against a resource heavy entity we're likely lose, especially when certain behaviors are allowed to normalize across entire industries and accepted by culture in large segments.
1. There is an opportunity.
2. You did lose a lot of trust.
3. You didn't have enough trust in the first place to really take advantage of this opportunity.
I would encourage you to think about how you can earn that trust. This comes back to transparency and checks-and-balances. If you want to go that route, you will need to build hard constraints: legal and technological constraints which would have prevented this in the first place which you can't later remove.
This shouldn't have been down the bad judgement by the CEO. I don't know you, but even if I did, the Board can toss you ought next month, and the next CEO might have worse judgement.
Baseline: Right now, your privacy policy is not bad. However, you can change it anytime. You can eliminate it in the case of sale. Etc. You're paying a lot in trust right now for abstract flexibility down-the-line. I would not give you a model of what I know with that privacy policy, and to get to your vision, you'd need my data.
Good: Think through how organizations engineer legal constraint (GPL, AGPL, CC-BY-SA, etc.) to build community and trust. Engage folks like Eben Moglen and Larry Lessig, and come up with robust ways where Triplebyte can be trusted to manage user data, without needing to trust the Triplebyte management team.
Your team has a fiduciary duty to maximize shareholder value. Down the line, you might become Google (which has a trillion dollars to lose if it breaks trust) or you might become Yahoo (which is now mining personal emails in really evil ways, since that's the most effective way to scrape out the last little bits of profit). I want to know that if you go the route of Yahoo, or other companies I trusted with my data which went south, you won't be able to weasel out.
You should figure problems like:
* What happens if you do have a problem? If my data leaks, will you be liable, or do I bear that cost? If you are, that sets up incentives for you to have proper security. Consider it a cost of business (you can get insurance too).
* How can I verify what happened to my data, as you send it off to partners and "trusted" affiliates?
* How do I know my data was properly de-identified (I don't believe this at all, at this point).
If you can build something really robust, it will go a long ways to making you into a Google, by ensuring you won't turn into a Yahoo. It's a trillion-dollar opportunity.
I would encourage you to not go it alone.
1) There are people who have been thinking about this problem long and hard for a long time. Most are pretty accessible, and would be excited to see something strong here. There's a big pool of knowledge to build on.
2) You don't need to have something finished or polished to start to engage with either those people or with the community. You can toss out an early draft and solicit feedback if you're on the right track (rather than tossing out a fait accompli). You can even just solicit ideas.
1. Versioning of user consent.
A lot of services have been designed around the idea that once a user consents to the terms, they consent to any alternations you make in the future. This is legally very questionable, at least in many countries. Some services manage to keep track of the version of the agreement a user has approved, but then force agreement with any updated version. But in reality there's no need for this - users should be able to granularly consent (and withdraw consent) to different things, as and when it's desired.
In any case given the way this is interpreted in GDPR, and the direction of travel in California and other states, having granular consent seems to be a sensible short term investment to save a lot of pain down the line.
2. Handling data at a sale, acquisition or liquidation.
This one is more tricky, and I believe a Stripe co-founder mentioned this recently on HN as something to look into. Lots of companies see their database as an asset to sell. There's an interesting history of companies like RadioShack, ToysRUs, and others going through this issue and ending up in court over it...
3. Aligning your goals with your users.
It might be a bit idealistic, but it always seems to me that privacy works best when everyone's interests are aligned. I'm not sure how this fits for your situation, but it strikes me users wanting visibility get visibility, and if they get a job you'll benefit, as do they. That seems nicely aligned. And for people who want to be incognito, they remain incognito, but they know you're there. It's probably counter to lots of the "startup playbook", but even these incognito users are likely still valuable, maybe even net promoters, just not currently looking to be seen. So it seems your goals align nicely with users', and there need not be any hyper growth "dark patterns".
If you want to build a LinkedIn competitor it should be a completely different product to what you offer now with private employer<->employee hookups.
The two services should be physically separate in every sense, so there's no possibility of someone flipping a bit and accidentally making public someones private job search intentions.
Please don't comment about the voting on comments. It never does any good, and it makes boring reading.
Please don't post comments saying that HN is turning into Reddit. It's a semi-noob illusion, as old as the hills.
That’s actually not true.
Also, your comment comes off as needlessly offensive:
> 3. You didn't have enough trust in the first place to really take advantage of this opportunity.
> I would encourage you to think about how you can earn that trust
You’re attacking him when he’s come back, owned up, and apologized for the mistake.
I'm also suggesting an alternative which I /think/ would have more privacy and more business value. I'm not an insider, so I could be wrong about either of those, but that's the point of a conversation. This way, he knows what would work for me, as a potential user. He can take it and run with it, take it as a problem statement and run with a different solution, or take me as 0.0001% of the market and ignore it. In his shoes, I've done all three at different times.
> That’s actually not true.
@woofie11, you should internalise this.
What the board has a duty to do is enact the desires of shareholders as they have made those desires clear. If the shareholders want to sacrifice profitability for some other goal, that's fine, normal, expected, and ordinary.
There is no fiduciary duty to maximise shareholder value.
Obviously negligence, fraud, and other possibly criminal or immoral behaviour that reduces or ruins shareholder value can certainly be a problem, but that's a separate issue.
Haters gonna hate and I wouldn’t take it too seriously.
Because you opted in to creating those profiles and the information they contain, and made them public. You opted in.
I’ve always found Triplebyte open and insightful and their response shows they’re receptive to feedback, which is a rare thing these days. People should be respecting that instead of crucifying one of the only companies that actually listens to them. No company is perfect all the time.
The CEO's whole attitude towards privacy shows how they treat privacy, and no, I'm not going to "respect" that.
The analogy with dating services that people were bringing up earlier was a good one. Sure, some people are in open relationships, which is fine, but if Tinder were to assume that everybody was OK with having that aspect of their personal life exposed in public, it would be a massive problem.
Even in the midst of a shitstorm where the CEO/Founder is publicly admitting to a complete lack of insight?
I'm only commenting now to cancel out your anecdote.
(And FWIW, I would have done nothing had it been opt-in. I would have been happy to leave my information private and strategically take it public when it suited me. The email, and Ammon's behavior in the original thread gave me little confidence that was an option, so I nuked my data.)
1) really pissed off about it
AND
2) compassionate enough to tell him why
The easier course of action, which I chose, was to quietly say "fuck you" and delete my profile. Ammon is getting a lot of valuable feedback right now. Yes, hatemail is valuable feedback. Because for every hatemail you get, there are ten users like me that will just bounce without a peep.
But, pushing features out the door is different than just deploying, so seems this is what happened. Then it doesn't matter what day you release your unfinished feature, it's gonna cause bad times.
The absolute most important part of the feature was a last-minute addition?
[0] https://www.imdb.com/title/tt0745682/
Lots of people would have done it right away and others would do it as they started to want new opportunities and/or got laid off.
Candidates who didn’t opt in probably wouldn’t be open to being contacted out of the blue anyway in a public manner.
They burned a lot of goodwill for nothing.
I can imagine, in that scenario, not thinking about all the devs who signed up over the years and are no longer searching, or are searching but doing so quietly.
Initially I was quite unhappy with how their CEO blindly defended the decision on the earlier HN thread, but I gotta give him credit for changing his mind and drafting this earnest apology. Everyone is human and its easy to get caught up in your own bubble, especially when you've been excitedly executing on a vision with a team that also lives in that bubble.
Still don't think I'll ever use their platform as either a member of a hiring team or as a job seeker. But at least this followup lessens my negative connotation for Triplebyte that developed over the previous few days.
Even if you wanted to make this an opt out feature the only sensible way to go about it is grandfathering in the old accounts into an opt in feature. Just like many companies grandfather in free customers while they charge new ones.
This is the foundation of trust.
Quite true. T-Mobile is now forever to me the weasels that silently broke free Google Visual Voicemail in order to force me into their own, judging by the reviews quite crappy, paid app.
I do think the bootstrapping problem is unfortunate - hopefully you can hit critical mass via opt-in.
And this might go against the grain, but if I had to give up a bit of privacy and get an edge against a peer for job that I need...I'd likely do it. But it seems like a lot of complaints were from still employed engineers and having their employers find out.
Yes, it is possible that this is merely the perfunctory apology TripleByte's users were undoubtedly due. It is possible it is entirely inauthentic, a mere artifice for damage control from a reputationally maimed business.
But it is also possible that, like all people, the CEO seriously screwed up. There were some bad premises, some bad motives, some bad confirmation bias at play here.
That being said, we ought not to judge people by who they were, but who they are capable of being. Is Ammon capable of rehabilitating?
I think the HN community should rightly accept this apology with great skepticism. They should scrutinize TripleByte's every move. They should wonder: has he rehabilitated? It will certainly take time.
No matter how much of a jerk Ammon is, I'm willing to trust-and-verify, so long as they get the and-verify part right.
No matter how great a guy Ammon is, I'm not willing to trust without the and-verify part. He might get fired tomorrow, and Steve Ballmer or Carly Fiorina might get brought in. It might go under, and get sold to Oath. There's a ton of possibilities.
He sounds honest enough in his apology, and on a personal level, I'm all for redemption and rehabilitation. It was also a one-time mistake. But I'm not dealing with a person. I'm dealing with an organization.
Zero of the organizations who got my data in the nineties are the same organizations today.
I believe society should stop centralizing its data, votes, money, etc. in the hands of a few. This decade we can work to change that.
No matter how great a guy Ammon is, I'm not willing to trust without the and-verify part. He might get fired tomorrow, and Steve Ballmer or Carly Fiorina might get brought in. It might go under, and get sold to Oath. There's a ton of possibilities.
Exactly. But when I say this, people often respond to me "no, this is the perfect example of a company that should be centralized" followed by justifications and downvotes. Decentralization is still as uncomfortable as the civil rights movement in the 50s, for many people.
On the other hand, there are a lot of places where centralized, with proper checks-and-balances, allows for a larger degree of scientific research and transparency. Medical and education come to mind.
1. Infrastructure should be more decentralized and let nameless providers compete
2. Information should be available to everyone and let nameless authors collaborate
1 produces a market of prices and competition, while 2 produces a collaborative edifice of knowledge and well architected software.
I'd like information to either be under my control, or managed as a public good by a non-profit or government agency with appropriate checks-and-balances and transparency.
A hosting company can be local Or you could host your files on your computer. If you host a social network where others also contribute content then you ARE the local hosting company and now you’re responsible for their data
That should all be a choice.
So if it was a bad idea before and it’s a bad idea now, has this whole episode even changed anything for you?
I honestly don't think that matters in the slightest. One of two things happened.
1. deletion requests spiked like you wouldn't believe
2. the board caught wind of the bad feedback and forced this response.
#2 i don't believe for a second. it beggars belief that the board is following day-to-day activity and further, at the start of a holiday weekend? no. way.
not independently anyway.
#1 must have happened, ammon asked for advice from the board and other close allies, who wordsmithed this reply. there is 100% no way that this email came from the same hamfisted person that deployed this change in this particular way with this particular timing.
So why doesn't it matter? Because the action is taken, quickly, and the lesson learned. For observers this is also a great lesson - in damage control.
The problem as I see it is that this has to get buried, quickly. The damage is done. TB was obviously already on the ropes, leading to this poor decision in the first place. I've never used TB, but what I hear about it is more bad than good. Good luck to them.
> #2 i don't believe for a second. it beggars belief that the board is following day-to-day activity and further, at the start of a holiday weekend? no. way.
I don't think it's so implausible. Remember that Triplebyte is a YCombinator company (so someone from YC probably sits on the board), and the uproar about its actions occurred on HN, YCombinator's site. I wouldn't be surprised someone who read this on HN was either (1) a partner or employee of YCombinator or (2) knew someone at YCombinator and alerted them.
It’s not just failure of ,,effects’’. I’m an EU citizen and it was a clear intent of GDPR violation.
This is about a serious and willful GDPR contravention as you can get. I hope they have good lawyers because they are gonna be hauled over the coals by multiple countries' data commissioners.
Wow just wow.
But I'm asking whether GDPR authorities have any recourse to take against a US corporation that has not expanded into the EU.
If Triplebyte doesn't even do IP filtering for signups, they are servicing EU citizens. Actually I told them that I don't have US VISA, so the ,,local golf course we site'' case doesn't apply.
Still, probably too little, too late for most people (myself included) who just saw their trust permanently breached by a brash move and get told by a CEO that you'll love it, honest! All you just need is to understand it! If you don't like it then it's your fault because you don't understand! And this doesn't even begin to address all the dark patterns they've caked in their UX.
"We're processing your request and should be done within 30 days.
We will verify your request using the information associated with your account. Government identification may be required and we may ask you for more information in order to verify your identify.
Any questions? Email us at privacy@triplebyte.com"
They didn't need "government identification" when I signed up for it. Never going back to this site again.
You built a company that's obviously valuable and lots of people rely on. Now you have a lot of responsibility. You're going through the "trough of sorrow" with respect to a new feature.
This is what inevitably happens when lots of people come to rely on you. The one thing I'd like to say, which may sounds strange at first, is think about why you really need each piece of data.
https://www.theguardian.com/technology/2019/jan/20/shoshana-...
There is now a growing movement including GDPR and California's privacy laws. You can see how duckduckgo is able to make money by advertising around keywords rather than personal data, etc.
You can help lead this movement, by allowing job candidates to have most of the data encrypted, and only reveal it to companies on a need-to-know basis. Push the point where they reveal it further back, and you'll have less friction for new signups. Every time people are asked for data, they'll already have a good reason: someone wants it. To be clear, that includes the candidate's Name, Age, Gender, and other private info.
These constraints are walked back almost immediately in practice, once companies learn that requiring a human touch for a deletion flow is not worth the hassle.
I think "legal" here meant what's the bare minimum to respect the letter of GDPR law, while not actually implementing a useful delete flow.
Appreciate the honesty here by admitting that account deletion relies on dark patterns, but it brings up two salient questions regarding how you approach product development.
1. Internally, do you at least have the equivalent of a “directly responsible individual" (DRI) for the product? It seems no one spoke up in the interests of users against legal’s overzealous decision to tack on lots of friction to the account deletion process?
2. It seems you could have also garnered some push back on the feature from your alumni Slack [0] but didn’t, perhaps due to the rush to ship quickly?
In addition to the changes you’ve pledged as part of rebuilding user trust, hopefully, you & your team will reassess your product development practices to add these checks so that such mistakes are not repeated in future.
[0] @hysan mentions that TB maintains an alumni Slack upthread: https://news.ycombinator.com/item?id=23304199
They messed up, they sought to rectify it. Good job.
At the time, I thought that vision was a mirage; a recruiting agency grasping for VC dollars.
Now, it looks they're trying to find a new vision.
If anything, I’d say Triplebyte hopes to be what those consulting companies are but to startups.
Now, if it turns out startups just have crappy budgets, then you have to lower the barrier to entry into the platform to accommodate those budgets.
Similarly, if you indoctrinate enough of new grads/bootcampers to feel like they need the Triplebyte cert (feeling left out that everyone is in Triplebyte and you’re not? Welcome to the psychological game, behold the public profile and badges), you can then also indoctrinate startups into thinking that’s the standard that they need to be looking for too.
Anyway, devs with enough experience should be out of this game mostly, this will affect the entry level tier of developers going forward. You might be stuck in the damn Triplebyte loop.
Rather than safeguarding the fact that you are or were job searching, we threatened exposure. Current employers might retaliate if they saw that you were job searching. You did not expect that any personal information you’d given us, in the context of a private, secure job search, would be used publicly without your explicit consent. I sincerely apologize. It was my failure.
How about we stop giving our data to third parties just so we can use their software.
"The Cloud" is a corporate euphemism for "extreme centralization of data in our servers".
And "Software as a Service" is even worse, because it basically says you are RENTING the software, and trusting them to do "the right thing", including and especially with your data.
This is insane. It's 2020. Why are we doing this? One reason: we don't have a good open source alternative that can be hosted on many different places. Such an alternative should actually be end-to-end encrypted, and the hosting should be just redundant dumb boxes earning cryptocurrency for storing something.
So, what happened? How did I screw this up? I’ve been asking myself this question a bunch over the past 48 hours.
What happened was the same thing that happened 17 years ago when Mark Z laughed about the "dumb f$cks* who "trusted him" with their passwords. To quote the excellent V for Vendetta speech:
How did this happen? Who's to blame? Well certainly there are those more responsible than others, and they will be held accountable, but again truth be told, if you're looking for the guilty, you need only look into a mirror. I know why you did it. I know you were afraid. Who wouldn't be? War, terror, disease. There were a myriad of problems which conspired to corrupt your reason and rob you of your common sense. Fear got the best of you, and in your panic you turned to the now high chancellor, Adam Sutler. He promised you order, he promised you peace, and all he demanded in return was your silent, obedient consent.
Look, I'm biased. I have put my money where my mouth is and am building this reality (https://qbix.com/platform and https://intercoin.org). I have historically been downvoted for even mentioning that I am doing tangible things to solve this and give away the software. But I persist in doing so because it's better to actually build the alternative than talk about it endlessly. The Impossible Burger will do more for veganism than decades of talk ever could.
If you want to join this effort, email greg at the domain qbix.com . But whether you choose to support Mastodon, Matrix, IPFS, Dat, MaidSAFE or whatever, realize that we need to move towards a future where infrastructure is decoupled from power over your data. Your data should be encrypted and only enough shared for indexing. It should be provable with verified claims and zero-knowledge proofs, but only with your consent.
Take for example the telephone industry. We had telephone switchboard operators, and it cost $1-3 a MINUTE to make overseas calls. You could make the same argument: "AT&T is the perfect example of a company that should be centralized. They have a reputation for connecting your calls reliably, and you trust them to not broadcast your calls to others. But, of course, in the last 20 years the Internet has introduced Voice over IP and now ANY company can provide faceless, nameless infrastructure and get paid, while your calls go end-to-end encrypted via the wire.
Are we all better off? Yes! Having decoupled infrastructure from power over your data (calls), we have dropped the cost to zero. We went from monopolies and cartels and feudalism to "dumb pipes". We have videoconferencing right now, something unimaginable 20 years ago not just because of bandwidth but because there were "perfect examples of companies that should be centralized" and "reputations that we can trust". There is far more at stake.
In the past, we had human calculators, printers, mailmen, etc. They provided a lot of value. Lots of industries did. Today we don't. Don't blame TripleByte. Blame the lack of good permissionless, encrypted alternatives.
Remember, the phone company was the canonical example of a “natural monopoly” by economists even including Milton Friedman. That’s why I chose that example. It eventually got decentralized too.
If TripleByte was the only game in town then a new candidate would fail their test and then it is game over. No more job search.
I am enjoying my -3 downvotes at the moment, waiting for my post to be flagged for daring to speak to the root of the issue.
The root of the issue is not TripleByte. Don't blame TripleByte. Blame the lack of open source, end-to-end encrypted alternatives. Why is saying this such a scandal?
Is that because deep down inside you know the public would be foolish to trust your company in its current form?
1. Triplebyte attempted a big move against LinkedIn, tried to ease the blow to users by dumping on a Friday before memorial day weekend
2. Triplebyte, the company built around helping people find jobs, truthfully didn't understand that people might have concerns about their current companies knowing they are job-hunting
It's pretty obvious it's #1, and that opt-out rather than opt-in was the only way it would gain the critical mass needed. The outcry hit critical mass and now they need to walk it back, until they have a different strategy for re-segmenting LinkedIn's market
Not that it would matter if they were. Other people doing nasty things is no excuse for doing them yourself as well.
But what about following every dark pattern in the book to prevent people from actually opting out[1][2]? There was not even an option to opt-out indefinitely.
It seemed like an extremely carefully engineered effort to trick the users. How can something like this be considered "unintentional"?
[1] https://news.ycombinator.com/item?id=23280040
[2] https://news.ycombinator.com/item?id=23283237
(For those who wonder: that and the Buzz incident made lots of people hate or at least distrust Google.)
Why why why do companies do this?
During the last 6 months I've stopped logging into Stack Overflow. It is a nice resource but for me it is read only for now because they messed up so hard - and refused to come up with a real apology.
Same goes for Quora: they betrayed us hard by trying to tell everyone what we were looking at. (Edit: next sentence added later:) Now imagine you've been reading up about health issues and realize it is suddenly on your profile. Still now, many years later I shun them as they haven't as far as I see come clean.
In some cases, if it get caught early enough, just saying: "we messed up, sorry, here's what we will do:" can be enough.
In other cases - where there are layers of bad patterns, lies and contempt for users and volunteers I actively want to punish them until they start behaving.
Quora (broadcasting sensitive information), Google (trying to kill the web, insulting me with insanely misplaced ads for years, trying to kill Firefox), Stack Overflow all goes on my list of companies that I actively work against, but I guess only until I see real change ;-)
IIRC Monica asked if would be OK if she (or someone else?) wrote in a way that sidestepped the whole issue, for example by writing about "the user" instead of "he and/or she".
Again IIRC they leaked information to newspapers, misrepresented the case and issued one or more non-apologies before trying to pretend nothing had happened.
And why it became okay to compel someone to use a certain pronoun as opposed to compelling them to _not misgender_ is absolute lunacy. Monica wanted to write her sentences in a way that did not require pronouns period, and they decided that was not okay. Not to mention all the mud-dragging and character assassination they pulled.
I’m on mobile so won’t dig up the link but go find what Monica wrote on it
And then obviously Monica crowdfunded $25k to sue SE, they came to an agreement and neither party really talks about the incident any more.
There was really no need for the situation to escalate as harshly as it did and SE shot themselves in the foot repeatedly.
If the goal is to run after LinkedIn it seems a logical way to go, but they have a very strong head start on that.
Ammon, the big money is going to be chasing cost savings as more remote workforces can now take advantage of overseas labor. The perfect storm of cost reduction pressure and remote workplace growth gives Triplebyte a great position to be the front runner in helping companies find less expensive overseas talent.
IMHO, that's the saddest thing about this. Triplebyte has a niche where they can provide value to companies and job seekers. But producing an objective analysis of someone's coding skills is expensive and doesn't scale well. They could make millions every year but it's not and never would be a billion dollar company. And it's too bad that millions is not good enough.
> The floor has fallen out on parts of our business, and other parts are under unprecedented growth. We've been in a state of churn as we quickly try various things to adapt. But I let myself get caught in this rush and did not look critically enough at the features we were shipping.
In fact that paragraph is what made me accept his apology. The reflection and honest answer of how he decided to ship this feature was more than any company apology I've heard in the past.
"Money got tight, so we decided to monetise your sensitive data!"
I think LinkedIn is a massively privacy violating service, and alternatives are a very good and important thing to see. I would add one comment though perhaps helpful in the future:
One reason people here take such a vigorous stance against startups doing these kinds of "dirty tricks" is because they want real alternatives that treat them as more than a number of a row in a database. The incumbents will use opt-out techniques and consent walls, and dark patterns to grow.
But at the end of the day, they're being valued by the number of rows in their database. It seems there's a real potential to have lots of (but fewer) rows in your database, but for them to be actual valued users who get value from your service, and you make money from. Hyper growth scaling doesn't always have to be the only way. A curated network of a focused and high value verified demographic is likely worth orders of magnitude more than the incumbent, without any data selling or shenanigans.
And that's saying it gently.
Not sure if they're still doing it, but the way they were harvesting e-mails and then using them to spam the harvested contacts, they were no better than any other phishing site.
For people who use the same password on LinkedIn and their e-mail account, it was extremely easy to accidentally "consent" to this, and I've seen many an apology to the spam victims from someone who accidentally gave access. And they would spam everyone multiple times, with no way for the recipients to stop it. (They paid a $13M settlement for this; gladly, I assume).
It still boggles my mind that e-mail providers didn't both block LinkedIn's IPs from accessing contacts and spam-can everything from their mail servers.
Looking back at my email archives, I was still getting "X's invite is awaiting your response" emails in October 2018, after GDPR began.
Perhaps I am taking an overly strict view here, but given my email address is my personal data, no amount of consent (or indeed waivers/warrants from users that they have my consent, which LinkedIn has no genuine reason to believe true) can grant them permission to store and process my personal data.
It seems nonetheless unavoidable for LinkedIn to have carried out the process of linking my email to the person that sent the (unsolicited) request. This kind of behaviour is really rather scummy. I hope that invite spam could be a separate case on the basis of a GDPR violation, rather than the "accidentally going into people's email and getting their contacts" (as incredulous as it is to even write this!)
- trust is a crystal ball, you can drop it and break it, patch it back together again but it will never ever be the same way it was before, it can only degrade
- if you plan on being a player in this field you will have to take the privacy of your users serious, this includes doing your privacy and security reviews by the book because if there ever is an involuntary disclosure what you've seen in the last couple of days will come back hundredfold.
In my opinion, in 2020, any company that releases software and has more than like 20 engineers should have at least one VP-level privacy approver who has the power to block releases.
Thanks!
Riiiight. You didn't realize how big it was because you didn't care, until it was clear it was going to have a serious negative impact on you. You didn't care about the privacy of others or otherwise you wouldn't have made the choices you did.
Dude, you were going to use us to publicly endorse your new platform via usage and give it immediate legitimacy, without our consent. Don’t you get that’s what “critical mass through public profiles” means? People join because people are already there?
This is probably the post that disturbs me most of what I’ve read, for simply ignoring that the decision was problematic on multiple levels. Either you’re still not completely getting it or this is disingenuous, and neither option is comforting.
And trying to be charitable as possible here, it’s very easy to take your clinical recounting as being cavalier in its precision. I don’t think we’re all necessarily far enough from the situation yet that you should treat it as the distant past when discussing it. You still have my data, at least for the moment, and it’s still an ongoing concern.
Edit: Nevermind, I just got the email. Still no response to my request to delete my account.
This e-mail (which I also got) seems like a heartfelt apology. They fucked up, realized it and turned the ship around. They listened and that's what counts for me. They listened to the negative feedback and responded to it.
Some comments around here are extremely negative of the whole situation. More negative than I think they deserve. They could've pushed through and ignored all the feedback they got. They didn't, and that's enough for to show the company and its CEO isn't utterly rotten.
@ammon Thanks for listening and participating in the discussions on HN. You made a mistake, but the fact that you responded is enough for me to put my trust in Triplebyte in the future if the need arises.
People would have gotten laid-off to this. The dark patterns are just cherry on top.
The negativity is well deserved.
Everyone makes mistakes and if nobody would be willing to look past that, then we'd never get anywhere.
And it would have gone over a lot better if he was honest about what happened. He got caught with his hand in the cookie jar and he's all "was that wrong? Should I not have done that?". They knew exactly what they were doing and calculated that it was worth it.
Any new feature that is announced can be met with some negativity. Sometimes it just ends up working despite that. It is not surprising to me that at first, they tried to defend their plans. It probably took a while for the backslash to sink in and their own opinions to change.
I wouldn't expect every company, even ones that target HN's primary audience to turn everything around right away because of an angry thread within a few hours. They turned around in 2-3 days. Quick enough if you ask me.
Disclaimer: I am really not in any way affiliated with Triplebyte. I am not even a user/customer. I just see a lot of negativity that I that I find unjustified.
Calling it only a "feature" is just downright twisting the facts.
And engaged in a host of dark patterns that made it difficult for people to effectively respond to that, for example by getting the data deleted and cancelling any account they had. The problem wasn't just the original error in judgement, serious as that was. It was the doubling down on it in both the implementation and the handling of the criticism when it was announced.
Empathy is unconditional. It says "wow, that must be really painful/terrible/scary". It carries no judgement around the accuracy of such feelings, only an understanding that they are real for the other person.
Disagreeing comes later after you have shown there are legitimate competing solutions.
"I'm sorry you feel that way" fails at the first so you haven't yet earned the right to disagree agreeably.
So when you receive negative feedback on something - how should you respond?
What if you're used to some certain baseline level of negativity? How should you respond then?
I feel like there is feedback on the individual level and the aggregate level. Clearly in this case TripleByte saw that they would have alienated a large and important community but I'm convinced you can blame a CEO for being diplomatic but thick skinned.
I mean this is the community famed for trivialising Dropbox
Most of us get through life without ever making that many people that unhappy all at once though. It's not like this outcry wasn't obvious and predictable to any reasonable person.
https://news.ycombinator.com/newsguidelines.html
He's not sorry about what he did. He's sad he got caught.
Assuming good faith is not prudent when dealing with people who want your money or data. We have enough collective experience at this stage to say this conclusively.
Edit: Being cynical is the new normal when dealing with companies. Especially if they have your data, or want it.
Yes, we know they weren't doing it for the goodness in their hearts, but there's a huge leap between
- using what they know about me to sell services to others (classic Google)
- and outright selling/publishing my data to others
There's a reason why I still - despite all my dislike for Google - still respect them somewhat: they actually seems to try to guard their treasure chest of juicy customer data against both governments as well as everyone else, they seem to be in this for the long haul.
Edit: try to avoid being rude / abrasive
How am I being taken advantage of if I read that letter and think "Well, good for them to finally realize things and take the right steps"? And I hope you're not speaking for everyone when you talk about good faith.
They've "stopped beating their wife". That's nothing to be proud of or rewarded for.
Everything else so far is just empty words. (Well written and convincing words, sure. But that guarantees nothing, any of us could find somebody to write a great apology if we're prepared to pay. Means nothing.)
So reversing and apologizing is still taking the wrong steps? Is this one of those situations where no positive descriptor must ever be uttered about someone?
> That's nothing to be proud of or rewarded for.
Good thing I never said that. I don't think we're speaking the same language here.
Well said. This ought to be taught in schools.
Being slightly pedantic I'd change it to "when dealing with companies that want your money or data" rather than "people" (though I've pretty sure that's the general meaning you intended anyhow).
> spend a couple days on HN telling people they shouldn't be mad about it.
It was actually a only a couple of hours and a few (very inflammatory and highly downvoted) comments, near the beginning of the thread, and then radio silence as the fire raged on.
I think that he took a step back and began reconsidering after realizing that his comments weren’t helping any, but because they were the only thing he said in that thread and a lot of discussion was focused on them it seemed like a lot more activity than it really was. (Not that this excuses anything, but I think it’s important to be clear about what happened.)
This confuses me. What big payout could they have gotten from making this public?
You make it sound like they tried to hide this and got caught - that’s absurd given the facts.
[1] https://news.ycombinator.com/item?id=23279837
[2] https://news.ycombinator.com/item?id=23283237
I was also furious when I found out, and still am upset at how they went about this situation in the beginning. They could've handled it much better. But they did what the community asked for, and nobody was harmed in the end. I would argue that this was the system actually working.
I think we should incourage good behavior, instead of being totally unforgiving of all mistakes. Hopefully other companies can learn a lesson from Triplebyte and think twice before making this mistake at all in the future.
I'm still not sure if I'm going to keep my account with them, but I do feel better about it
Consider how you would feel if a credit card or a bank did this? Would you ever trust them again?
No, you would not.
Why wouldn't another company first try to push privacy violating changes on a Friday, when people like you are so willing to turn a blind eye to it if they get caught?
They violated trust and it's going to take a lot more than an email apology to get it back from people who care.
Again, it will take a lot more than some words on the internet to gain back trust from people who care about the fact that they were tricked for financial gain.
Ammon got talked out of making all his user's sensitive job seeking intent public. He is still the guy who thought that was an OK thing to do. Maybe he was drunk. Maybe he was going broke. He didn't _actually_ beat his wife. This time.
And worse, who is to say they won't do this again later when no one is paying attention?
Do you have personal guarantees they won't?
This reaction seems way overblown. Its fine to criticize a feature but lets not pretend this is some nefarious plot that would have resulted in layoffs
> This reaction seems way overblown.
A badge on a user's now-public profile at a service that's used only when job hunting. Any company that noticed that one of their existing employees had a profile at Triplebyte could guess that the employee was looking for employment elsewhere. This would not be good for their career prospects, and could easily result in the job-hunting employee being chosen for a layoff or skipped for a promotion - most companies would rather keep or promote someone who's not about to leave.
-- Layoffs are happening around COVID, now who do you think a manager will feel more OK picking?
-- For luckier companies, bonuses/refreshers/promotions happen at different times, a candidate may want their manager thinking about their work vs. them exploring greener pastures
That's sensitive stuff! Some candidate may like being exposed (it's a threat!), some won't (shows disinterest! distracts!). Crucially, the question is of agency: folks entrusted TripleByte, expected privacy based on TripleByte's marketing and industry norms, and instead of having the decision, got into a world of dark patterns (opt-out, weak notification, difficult avoidance, long time delays, ...).
Edit: People are down-voting this. Consumer tech companies have been going through layoffs, generally one or more rounds of 20%. Many B2B's are on a delay, and are starting to see numbers around their b2c customers plummet: easy for more to happen as ripples continue. What could have been an opt-in feature to help folks maybe get better new positions was instead setup to add easily-avoidable risk.
This won't happen to everyone, but again, it's a matter of agency. Someone at a tiny startup may not care, but someone at a bigger or more political org might might feel risk differently. It's their career, not TripleByte's.
Right now? None. Because sensibly there is no such publicly available thing.
Any recruiter or hiring manager who doesn't at least look for a candidate's public LinkedIn page (and in those roles, they should also have LinkedIn premium or whatever it's called too) is not doing their job properly.
I have little doubt that this would have become "standard procedure" for managers when prepping for the "forward looking" section of a performance review and when making decisions about promotions/layoffs/payrises - if Ammon had got his way.
If a company would lay you off because you have a profile on a jobs network, they’re really a shit company you wouldn’t want to work for anyway.
Not that I agree with their actions - anything like this ought to be opt in only, but I can’t see people getting laid off. I have a profile on linked in with my boss and multiple people from my company as contacts, I’ve got profiles on multiple additional jobs board both locally and nationally. I’m not really looking for a job, but I have absolutely no reason to think I’d get fired for having a profile on triplebyte (which I do as well).
That would have been much easier to say a few months ago. But now, lots of startups and even large companies like Uber and Airbnb are laying off workers. Suddenly, for many, staying at that crappy company they currently work for is starting to seem like a much better option.
Sure, but you still have a mortgage to pay and would like to switch companies on your terms rather than on your employer's terms, right? Have enough time to find the right job you want, instead of the least-worst because you're really not comfortable with being out of work in what's looking to be a long economic crisis?
You have strong evidence Employee A is unsatisfied and looking to move on. Employee B has given no indication of such.
Which one do you lay off? Keep in mind that unsatisfied employees often have a detrimental effect on the morale of their (otherwise content) co-workers.
Answer: You lay off Employee A. And not because you are a bad CEO or bad person. You do it because it's legitimately in the best interest of the company.
Now take the same scenario and substitute a promotion in place of a termination. Which employee will get the promotion? Which employee is in your best interest to invest more money and time in? I think you know the answer.
So you're not going to point out any logical flaws in the scenario? You're not going to tell me why it's not a useful exercise? You're just going to avoid answering it because.... reasons.
> Firing someone because they have a profile on triplebyte is just silly.
Neither of the examples I gave were about firing.
>I ge that you all need to justify your rage over this, but this really makes no sense
I don't have any rage. My comment didn't express any rage. It gave two perfectly sound illustrations of why this information being public could put one at a disadvantage.
>The world doesn't work the way you want to believe it does.
Please elaborate. How does it work? And why is your experience about how it works more "correct" than the hundred of commenters here?
>I don't know, maybe you work somewhere that's normal, but if you want to call something toxic, that's toxic.
You can prove it by answering my question. What decision would a non-toxic, perfectly reasonable employer do? What would you do? I'm genuinely curious.
>No boss I've ever had would care less about my online profiles.
Same here. Aren't we lucky. Not everyone has had the same experience as evidenced by this thread.
You've now admitted you're not even in the situation, so why debate for it other than internet gotcha points?
You haven't given a _reason_ why it's "silly" and "not worth addressing", you just declared it so. That's not how civilized debate works and not how intelligent, honest, people disagree.
>You've now admitted you're not even in the situation, so why debate for it other than internet gotcha points?
Because I believe in privacy, ethics and get some enjoyment out of vigorous and fair debate. Sometimes my mind gets changed, sometimes I change other peoples minds. Other times, there are people who just aren't up to it intellectually and cover their ears and spew childish nonsense.
So let's cite some sources shall we?
1) According to a specialist in employment law at Dilworth Paxson LLP and author of the online law blog “The Employer Handbook” it is sometimes advisable for employers to terminate an employee looking for other work.[0]
2) According to hundreds of professionally employed developers on HN. "We feel at risk of this happening to us."
3) According to internet user jkl275. "That's silly because it doesn't match my experience. And if it is true, the company you work for is shit. Therefore your concerns are unfounded because.. well... I'm not sure. Why are you even arguing with me!?"
[0] https://blog.shrm.org/workforce/caught-in-the-act-employees-...
Ever hang out with a sociopath/narcissist? They give the best heartfelt apologies, they almost make you feel guilty or something.
And then, they do it again. And again. And then again some more.
Only time will tell how "real" something is.
Let's be real here. This guy's business went to shit because of the pandemic, and he's panicing that he's going to get kicked out of the cool kids VC club. Then he made a big strategic boo boo to try to stay in the club, and laid on a bunch of rationalizations why that wasn't the case last week. Now, he realizes he's doubly fucked, and got a PR firm to help him do damage control.
Which honestly is fine to me. I don't care one way or the other. It's just funny to see people contort to not see the obvious.
Not sure I agree with that. There's a very obvious example of clinical narcissism that we frequently hear about these days who seems to be a strong counterexample, in that they have never gone on record apologizing or taking responsibility for anything, even when doing so would be a clear, unambiguous winning move.
It's usually perilous to diagnose other people with psychiatric conditions over the Internet, and I don't think the case can be made for the Triplebyte CEO.
It reeks of they-raised-too-much-money-and-now-have-to-do-BIG-things syndrome and would seriously discourage me as either a user or enterprise customer, as if the AI/machine-learning BULLSHIT didn't already do that. They're a recruiting company that took a sucker punch with CV-19 and effectively tried to sell their user data as a get out of jail free card.
The saving grace is that LI Recruiter is a trash product (for years...) and they could probably eek out a consumer net-good by bringing more competition to the market, if only they went about it the right way.
It can happen, but if it does maybe you are the wrong person for the job.
The question really is: in what kind of mode would you have to operate in order to forget that you users might want to have a say in the publication of their data? That is like a restaurant waiter forgetting to ask people what they want and bringing them a single random things instead.
Every company that can help me find work is flawed, and I don't wanna start my own company any time soon. Heck, I am flawed. The best I can do is better than nothing and worse than perfect.
It seems as if everything is considered “private” now. No, not everything is private. You interviewing for a job isn’t private unless both parties make it private with a legally binding contract. It is a mistake to wishfully label public information as private simply because we don’t want it to be public. It also makes it harder to talk about true violations of privacy and distracts from understanding the real issues at stake.
What people ought to say, and have often said here, is that it is a violation of trust. People trusted Triplebyte to find them a new job, not lose their current job. That trust was violated not by an invasion of privacy — it is their data as much as it is ours — but a violation of using that data in a harmful way.
Privacy isn’t the problem here. The problem is with whatever broken processes led to this bad product and poor decision.
I would gently suggest that you look into the idea of "reasonable expectation of privacy" which has a long history in the courts.
Even if it is heartfelt, I'd argue that if no alarm bells went off internally when they were discussing this feature, they are not the group of people to entrust with information such as this.
... have a decent crisis management or PR firm on retainer.
Which might be as much of a red flag as the initial fuckup...
On what basis do you say they have a firm on retainer?
I think many/most CEO's in this situation would make some calls to get advice on how to manage the situation -- I don't that is a red flag.
If they don't take strong, concrete steps to mitigate these kinds of problems in the future, I will have less confidence and trust in their company.
This is another error in your thinking.
You can't solve failures in human understanding with technical solutions.
Your first instinct is going to be too try to cite counterexamples - but that only proves the point.
You're in a business that deals with people. You can't eliminate that with technology, and the fact that you think you can try is what makes you dangerous.
I certainly believe it. Projecting my own anecdotal bias, most surgeons I've met have been a special kind of arrogant.
https://www.linkedin.com/pulse/20140217220032-266437464-asia...
Book is... of oscillating quality.
There’s a guy who will buy accounts if you get up to like 2500 karma. I see you’re getting close and if you’re willing to give me a cut I can hook you up w/ his info. Great dude.
> Crew resource management formally began with a National Transportation Safety Board (NTSB) recommendation made during their investigation of the 1978 United Airlines Flight 173 crash. The issues surrounding that crash included a DC-8 crew running out of fuel over Portland, Oregon while troubleshooting a landing gear problem.
> The term "cockpit resource management" (later generalized to "crew resource management") was coined in 1979 by NASA psychologist John Lauber who had studied communication processes in cockpits for several years. While retaining a command hierarchy, the concept was intended to foster a less authoritarian cockpit culture, where co-pilots were encouraged to question captains if they observed them making mistakes.
Source: https://en.wikipedia.org/wiki/Crew_resource_management
I don't have any inside information but it seems that this could also be a case of the downsides of deadlines. They set a deadline and then all other considerations go out the window when trying to meet that.
https://news.ycombinator.com/item?id=23280137
Having said that, "sprint" is not a word I associate with thoughtful progress toward a reasonable goal. What it does say is "rush forward in a heedless manner" and "don't think, just run."
Another artificial deadline dressed up with terminology that encourages plunging ahead without due consideration.
golf clap
(One of the 2,000+)
On the other hand, once shit hit the fan, you could argue that these people would be extra-careful about fucking it up again, as opposed to another company where everything seems silently OK.
It's a bit like the story of the engineer who did a 400.000 dollar mistake on his first job. Asking the manager if they were going to fire him, he was told that no way they were going to fire somebody that just cost them so much money to train!
In my experience with Facebook, Google, and a variety of smaller companies, this doesn't happen.
To people who think the way TripleByte apparently does, the fuck-up was getting caught, not violating trust in the first place. If they had no moral issues with betraying users, they won't have any in the future (unless executives and board are replaced).
Instead, they will pay more lip service to privacy concerns and be more secretive about violating user trust.
The primary reason not to fire this person is that if something like this can happen, it's a process failure.
On one level I agree with this, in that I don't think 'heartfelt' is a fair metric. It's subjective, it's a ritual, and on some level the demand for performative contrition feels to me like something that doesn't have well defined parameters and past a certain point doesn't serve a purpose.
What is important to me are the statements that acknowledge error and recognize what made it a bad thing to do. Those seem on-point to me and, insofar as apologies go, I'm not sure what else should have to be said.
Lets wait and see what he, and the entire team who didn't stop this before they launched the idea to significant negative outcry, actually do in the future.
As soon as a company does something that a chunk of people on the internet don’t agree with, there’s really no way out. They’re going to get bad press regardless of whether they retract, whether they apologize, and whether they say they’re taking actions to avoid the sequence that led to the action in question.
But alongside that, for every time the internet mob has risen up over a company’s action, very few companies seem to have experienced major long term effects. I bet everybody knows a few people who have quit Facebook/GitHub, or who rage about Oracle business practices or MongoDB stability, but these companies still manage to keep trucking along.
In light of this, I’m mostly surprised that Triplebyte bothered apologizing; it seems unlikely to do them any good, and it’s unclear to me whether continuing course would have actually done as much harm to their bottom line as the prior Hackernews thread appeared to indicate.
FTFY...
It's hard to gauge significance without knowing a number of total users, but I imagine it is a relatively strong hypothesis that there is significant correlation between regular browsing of HN and having an account on his service.
I think you're running into the pagination problem: https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...
If you scroll to the bottom and click More you should find it. Edit: yes, it's there: https://news.ycombinator.com/item?id=23304097.
To me it doesn't seem credible that you as the CEO of a recruiting company didn't realize the issue of "default public" profiles. You literally have a section about confidentiality on the front page of your website so you must have known it was important to users.
And yet, tons of companies had done that, and suffered very little. Heck, any company has done something that "a chunk of people on the internet don’t agree with"...
It's not about never doing anything wrong, or it being futile to apologize.
It's about, you don't do THIS kind of privacy affecting changes without publicly announcing it first, and without red flags raised internally that it might not be a good idea.
That's a good thing to instill in companies, whether this one apologized or not...
2000 account closures is an actual business repercussion.
> and the internet mob’s displeasure, once roused, cannot be quieted by apologies, changes in behavior, or explanations
It absolutely could. As a member of said "internet mob" (I deleted my account) I'll say that yes, an apology by itself is not enough, but an apology combined with a long-term change in behavior would absolutely cause me to stop criticizing them and maybe even create an account again. If, for example, they remove a bunch of dark patterns from their site and change their terms of use to give specific guarantees of data privacy, that would go a long way in my mind.
Additionally, even if the 2000 accounts were enough to cause business impact, the idea that they’d need to demonstrate long-term change to win back those users is effectively irrelevant. They may as well put their efforts into gaining new users to replace the 2000, rather than try to repair the burned bridges. The return-on-investment for making “long-term change” to win back people who ragequit their service is low, especially since those people self-select for “people likely to ragequit again if they disagree with future company decisions”.
But ultimately, you might be right--maybe the net effect of not apologizing would be negligibly different from the net effect of apologizing. I don't have numbers to say you're wrong, but you don't have numbers to say you're right.
But as I said elsewhere, why are we even talking about this? You seemingly have complete, disdain for users who are concerned about TripleByte using their data against them, calling them an "internet mob" and accusing them of "ragequitting". Are you capable of empathizing with users at all? Do you have a conscience? Why are we talking about this as a strategic problem when it's an ethical problem?
But to be clear: Triplebyte’s specific situation is a an ethical issue only in respect to the fact that they planned to enable by default for existing users. That’s a bad move. They’ve stopped the bad move.
I’m more interested in the overall pattern of “company does thing, people disagree with thing, people express outrage to company, company issues statement”. Which in many cases has zero ethical components.
Your reaction that perhaps corporations shouldn't apologize when they do something wrong if it have any selfish benefit, does lack conscience and is a wholly inappropriate reaction to this situation. Discussing the self-centered strategic merits of apologizing from the perspective of a sociopath isn't a productive conversation.
However, I'm not one to write people off based on one interaction. Just because you've reacted without conscience in one situation doesn't mean you would do so in all situations.
> But to be clear: Triplebyte’s specific situation is a an ethical issue only in respect to the fact that they planned to enable by default for existing users. That’s a bad move. They’ve stopped the bad move.
There are more ethical issues than that--they haven't stopped them all.
> I’m more interested in the overall pattern of “company does thing, people disagree with thing, people express outrage to company, company issues statement”. Which in many cases has zero ethical components.
Which is irrelevant in this case, because this case does have multiple ethical components.
And, more to the point, this is still an ethical question. Apologies are never about benefiting the person apologizing. Apologies are inherently an ethical action--if you claim that the company didn't do anything wrong, then they shouldn't apologize. Not because it doesn't benefit them, but because lying about being sorry isn't ethical.
"Should a company lie and pretend to be sorry when they haven't done anything wrong?" is still an ethical question, and you're looking at it from the perspective of selfish gain is still an inappropriate way to look at it.
I suspect, in light of that, that we’ve bottomed out the utility of this thread.
> Given the prevalence of comments like this, I wonder why any company would ever bother offering an apology or retraction.
To project my own opinion onto others: these comments are warranted because an apology has no actual value. The fact remains that Triplebytes can still do this if they wish to, and they are constrained only by what they can manage to slip past their users.
There's a stark asymmetry in the digital space, where service providers are protected by the legal language in their TOS or EULA, but the users have to trust that the service provider will not act outside their interests, and with no recourse. By contrast, in a normal contract negotiation, there will be an opportunity for both sides to ammend the contract to better serve their interests.
If Triplebytes wanted to show that they will not attempt to do this again, they could break this asymmetry and constrain themselves in their user contract, accepting all resulting liability or specifying concrete penalties if they do persue this route in the future. An apology is just a meaningless PR exercise.
Why is this a hard thing to do? It’s literally what everyone who ever messes something up is asking you to do.
Just because someone once committed a broken build, doesn’t mean I’ll never again trust them with access.
It’s argubly more like “sorry for being a moron, but I hear you. Please give us another chance”?
I don't think this analogy is useful. An error in execution can be quite different in an error in judgement.
To offer an alternative example: a contractor decides to publish the source code to a company's closed-source software, so that they can use it as evidence of their work for their next job application.
> It’s argubly more like “sorry for being a moron, but I hear you. Please give us another chance”?
When these kinds of bad judgement happen, the person normally loses some decision-making power to stop it from happening again. This is in noticeable contrast to Triplebyte here: an apology as a PR exercise, and no material change to prevent it in future.
Because you're treating a service-client relationship as an interpersonal relationship. They are not, and the same norms do not apply. That apology, and its implicit premise(s) and promise, is rooted in the norms of intimate, interpersonal relationships. Those do not apply.
When you screw up and ask your spouse's forgiveness, the psychosocial interaction is quite different from when a CEO fucks up, writes a mea culpa to the faceless masses, gets his draft looked over by a PR flack and a couple board members, and then sends it out to the highest-impact social media circles for his service and waits to see what his KPIs do.
However much you'd like to, you can't just flip that trust back on - and in a lot of cases, it'll never fully go back to the way it was.
Not that we should personify company-customer relations - this was a decision that would have been taken by a lot of people expending serious effort to get it out the door. It's not a single lapse in judgement, but a continued expression of different values.
Not to mention this terrible default practice landed them some great pr to start with and the apology gives them more (this time "good pr")
It shouldn’t be for gain. In fact if apologies always led to a positive outcome they would mean less and the world would be a worse place for it.
Obviously is a bit harder if you hit-and-run someone’s pet dog.
It would be one thing if he apologized immediately after people pointed out the flaws in their plan.
But he didn’t.
He ignored all the objections, and defended his decision over and over again.
He clearly didn’t care.
There is huge difference between “whoops, we didn’t think things through, sorry about that” and “after seeing tons of people cancel their account, let’s pretend that I’m now truly sorry.” Especially when he had a history of building shitty social networks.
Two thousand: https://news.ycombinator.com/item?id=23304097
This isn't kinder garden, we're not here to educate those companies, they run a business, you mess up, you're out, we give the competitor a chance. That's how it works.
As a user, I’m also not dropping a company that provides me a useful service at the first (or likely second, or third) mistake.
Not everybody subscribes to this one-screwup-and-you’re-done mindset that you seem to be describing.
> that provides me a useful service
And what if the service stops being useful? What is an apology going to change? No longer useful, you'll move on.
That's where I find these apologies to be a sham. It's trying to play on people's emotions, to keep them around even once they've stopped providing value and utility, or in this case, actually causing you harm.
The only reason your employers have kept you around, is because your "mistakes" were within the expected range of what people in your position will be making as well. If you fall below that threshold, trust me, you will not be kept around for very long.
I’m saying that’s not how I approach my interactions with businesses. As you noted in your reply, employers expect an employee to make mistakes within a reasonable threshold. I have the same expectation for companies that provide me services. Making a mistake does not suddenly evaporate all their “usefulness” to me, as you seem to be suggesting.
When I say "mess up", I imply a quantity of mistake that is beyond acceptable for the value I get.
You seem to quantify "mess up" to a much smaller degree, like "mess up" implies a reasonable set of mistakes.
So we're not discussing the same scenario, due to us quantifying "mess up" to different degrees.
It seems if we normalize our quantity of "messing up", that we actually fundamentally agree. No amount of lack of or of providing an apology really affects the consequence. Mess up within reason, you don't even need to apologise, as long as I'm still getting good value I'll continue to be a customer. Mess up beyond reason, and an apology won't help, as soon as I'm no longer getting good value, or if you're actually providing me negative returns, I will begin to look for an alternative.
We should reward apologies and punish those who don't. Our failure to do so is creating a market incentive that will destroy or weaken valuable norms.
We should expect rather than reward apologies, and we should punish both people who fail to apologise as well as people who apologies but fail to follow through on changing their behaviour.
Ammon so far has done no more that the minimum expected from someone in his position. Time will tell whether his actions reveal his apology to be genuine and behaviour changing, or empty lies.
Rewarding apologies that turn out to be empty lies is what gave us Facebook. I fear Ammon's ambitions are to be more like Zuckerbergs rather than less, so I'll be very judgemental and dubious as I watch future moves by Ammon and Triplebyte. Like he acknowledges, he's lost trust. You earn trust back by your future actions, not by the eloquence of your apology.
The one action they took is that they cancelled the feature. _That_ has value. Arguably not enough, but it's a good first step. I'm eager to hear what they follow it up with, but they _have to follow it up._
Uttering (or publishing) words is an action.
Correct. I don't want apologies or retractions from companies. I want postmortems.
This is really no different from a technical outage, e.g., "As a result of a bad deploy to prod on Friday, all Triplebyte profiles became public." Why was it not noticed in testing? What is the testing process? Is profile privacy part of the testing process or part of code reviews? What are the practices around making changes that affect user privacy - is there a culture of asking questions about it up front, etc.?
Most importantly, what changes are being made to prevent a similar outage from reoccurring in the future? I really couldn't care less about how bad the CEO feels about it - sure, the CEO probably should feel bad, but feeling bad is not a reliable mechanism. If the CEO said "Bwahaha, I wish to profit and I learned over the weekend that my profits were in danger, so I changed course" but then says that in order to maintain his profits in the future he added an external privacy council that reviewed all major new initiatives (or whatever), that would actually be a lot more useful than contrition.
Now, yes, it's true that basically no company does public postmortems of decisions that they needed to walk back (at best you get blameful postmortems that end with a key executive resigning, but most of the time that doesn't help anyway - either the executive wasn't the problem, or they were the problem and they already spread the bad culture to others). But I think it was pretty rare until a couple of years ago for tech companies to do detailed public postmortems of internal outages, and that expectation has slowly changed. I think we should push for the same change for non-technical incidents like this.
And I absolutely agree that the feelings of the CEO matter less than putting in place some proper procedures.
Profit ain't bad.
Now, I suppose it may be possible that the CEO in this situation dramatically misunderstood the situation. It may even be possible that he had good faith even as he militantly defended those misunderstandings in previous threads. But from the perspective of trust, I can’t get past the suspicion that he’s just sorry that he got caught.
I read the apology letter as essentially saying he single-handedly drove the idea, in part because he was flailing due to COVID killing their bottom line, and was tunnel-visioned enough to not recognize it was unethical. Even at face value, that’s absolutely troubling for a CEO in TB’s domain. But smarter people have done dumber things under pressure, and sometimes dumb is at someone’s (or a lot of someones) expense by mistake.
So I’d like to think this was an exceptional occurrence, and I appreciated his personal post-mortem of sorts. However, taking this as charitably as possible, a process-oriented RCA focused on how he’ll keep his runaway ideas from being a one-man show—or whatever the problem actually was that saw this conflagration actually see light of day—wouldn’t suck.
As it is right now, I’m giving some charitable credence to the idea he’s the CEO equivalent of the skydiving photographer that, in his passion to get a great shot, jumped out of his plane with no parachute. It certainly may end up having an analogous effect on Triplebyte’s credibility.
Potential business processes include "ask about ethics as part of culture fit, and have a good sense of what you mean by 'ethics'," "ask about ethics as part of promo / do not count projects that put user data at risk towards promo," "vet investors for their ethics and see how their other investments are doing before allowing them to take a board seat," etc.
An ethical CEO will probably be doing many of these anyway, which is fine. You don't need to formalize them. It's fine for the CEO to say, for instance, "Ordinarily I would have put the brakes on this via this particular means, but I failed to notice because of this unexpected circumstance. I'm sorry and this is how I'm going to make sure I notice and make the right decision next time." (That is't too far off from what was actually said, actually, except for the bit about how to make decision-making more robust in the future. Everyone, ethical or not, fails to live up to their expectations of themselves at least occasionally.)
I absolutely agree. But this only works if the top leadership are themselves ethical people. If they are unethical or even neutral, it’s going to backfire. Instead of hiring people for their backbone in terms of pushing back against unethical decisions, it turns into hiring people for their willingness to conform to what they are told.
> It's fine for the CEO to say, for instance, "Ordinarily I would have put the brakes on this via this particular means, but I failed to notice because of this unexpected circumstance. I'm sorry and this is how I'm going to make sure I notice and make the right decision next time."
Definitely. But you only get to use that excuse so many times before it starts to lose credibility.
> That is't too far off from what was actually said, actually
Here I disagree. To his credit, Ammon has taken full personal responsibility for pushing this through, even over internal objections. It’s not a failure to notice something that happened when you’re the one doing the thing.
The resolution is also more personal than procedural: be more conscientious about your users and listen to people who object to your ideas. Demonstrate that you can do that over time and you can regain trust.
Exactly this. The only thing that _might_ actually make me trust Triplebyte with my data again is if their current CEO actually stepped down to a less influential role. If I were part of the board I'd actually be advocating for him to step down or be forceably removed if possible.
He didn't put a stop this catastrophic breach of trust after being made aware of it. Even worse, he seemed to have actively drove this forward in spite of opposition. I'm simply not willing to trust a company where he's the top-level decision maker with data as sensitive as they're dealing with, apologies or not.
I'm sure the CEO has been taught that good leadership means fessing up when you've screwed up, and to an extent that's true. But it's also an act of ego to assume full responsibility. Ego got them into this mess, most likely, and it will not get them out of it.
The CEO needs to realize there was a systemic failure. It's not just about him having an epiphany – it's about surrounding himself with people, processes, and values that can help keep a runaway product idea from breaking their customer base ever again.
I wonder why anyone would ever place a non-zero value on an apology from an organization acting in its own interests. A company isn't a single person acting in isolation and ignorance. It's a profit-seeking entity organizing a whole number of people of various levels of conscientiousness and intelligence, and pointing them at a single profit-seeking goal.
When that many-limbed organism grabs at a profitable course of action, it's not an impulsive accident of blind flailing. If that turns out to be a problem and they have to reverse course, it's not because of remorse.
They did what was in their interest then; they did what's in their interest now. People confusing corporations for actual, you know, people absolutely baffles me. Their apologies mean absolutely nothing, good or bad, but how bad a hit their business appeared to take and how good their copy writer was. That is all.
As another poster said, and I agree wholeheartedly, I don't care for apologies, I care for post-mortems. The only thing that matters is what operations led to this action, and what change in those operations will prevent it happening again - if any such change can prevent it. A public mea culpa with an executive's signature on it means... well, nothing. Absolutely nothing. It's the cheapest possible way of reclaiming good will, and worth the paper it's written on.
Because the people running the company have a conscience which causes them to feel bad and want to apologize when they harm people? Are we really entertaining the idea that the only reason someone might apologize is if it benefits them?
It's disturbing to me how absolutely normal your comment is on Hacker News. There's a significant portion of HN whose entire concept of ethics seems to be, "if it's profitable, it's right" and who can't imagine any motivation except profit. Over and over again we see profitable corporations doing terrible things and people on HN defending them on no other grounds but the fact that what they are doing is profitable. And when people disagree, it's almost always because the profitable corporation's actions affect them directly. All I can conclude is that a significant number of HN users are just amoral, which is terrifying, because a lot of HN users hold positions with significant power.
And before you tell me that everyone acts selfishly--no, they don't. I've met hundreds of wonderful people in my life who were generous, honest, kind, and/or brave, at great personal cost and risk to themselves. The behavior you're engaging in isn't normal, and it's not okay.
>... And before you tell me that everyone acts selfishly--no, they don't. I've met hundreds of wonderful people in my life who were generous, honest, kind, and/or brave, at great personal cost and risk to themselves. The behavior you're engaging in isn't normal, and it's not okay.
I can see that you’re trying to be charitable, so let me try and be charitable in return.
I actually kind of agree with the comment you’re responding to, but I don’t interpret it the same way you do. A normal, moral person like you or me will apologize out of genuine guilt. But then again, a normal, moral person like you or me doesn’t operate a business in a way that betrays the trust of its users.
I don’t think everyone acts selfishly. But I do think that some people do. And even a selfish person would want to try and convincingly feign remorse for their selfish actions once those actions backfired and were no longer in their own self-interest.
I think akerl_ is saying that companies shouldn't bother apologizing when they do something wrong and get caught.
I think that's some "lizard person school of business" shit that has no place in a civilized society.
And sure, maybe the answer is that they’re not sociopathic in the first place. But that’s a very non-cynical answer. Credulous, perhaps.
Either just release the feature anyway, and maybe default it to opt-in for people with existing content, maybe make it “only content from $now forward is public”, something to that effect.
Halt the feature, but expend the minimum possible effort on the message out: “Hi all, we’ve reconsidered the feature in light of feedback. Thanks, CEO”.
It’s not clear to me that applying more time/effort to explaining themselves to the world has done them any benefit. There’s the bulk of people who didn’t notice / don’t care, there’s people who are permanently angry, and there’s people who are going to want to see actual changes before they revisit.
The people who work for a business are incentivized to live lives that let them sleep well at night, but it’s entirely possible for them to learn from this experience and behave differently in the future without bothering to respond to the mob.
You have accused me of misinterpreting your intent elsewhere, but really I don't know how you expect me to interpret this that would cast you in a more positive light. You're saying you would do unethical things, so I don't think I'm off-base to say you might be unethical.
As a customer, am I going to believe TripleByte is sincere when they apologize to me? Maybe, but probably not. The only way to be sure is to judge them by their actions.
And in this case in particular, there’s not technically anything to apologize for since they never actually rolled out the feature.
Any liar can make beautiful apologies without meaning a word of them. It takes an honest person to demonstrate conscience through their actions.
My point above is that I don’t think internet mobs incentivize businesses to behave that way, and in fact it seems that apologizing to the mob, or adjusting behavior in response to things the mob does not approve off, are counterproductive for the business. They continue to take heat for the wording of their apology, they get another wave of media coverage about the thing the mob is pissed about, there’s not really any visible upside.
Given that, I’m surprised more business don’t just ignore the angry people on the internet and just proceed as-is, continuing to rake in money from the people who aren’t outraged.
But maybe I’m just a lizard, unfit for your civilized society.
Okay, great, so we're in agreement.
The incentives applied by dissatisfied customers aren't about getting companies to apologize: it's about getting them to behave in a manner such that they don't have to apologize. If you want to discuss whether there are better strategies that dissatisfied customers might employ, that's something I'd be happy to discuss.
If you actually want businesses to apologize and adjust their behavior as you claim, then it makes sense to look at how customers can make that happen.
Point being: if your goal is to actually help people harmed by corporations, calling those people "internet mobs" who "ragequit" and then analyzing whether it's profitable to apologize to them is a pretty strange way of communicating that goal.
I’m not looking to debate whether or not you agree with my word choice for “the people on the internet who loudly protest companies who do stuff they disagree with, and stop using those companies’ services out of these disagreements”.
Neither do I, and I'd be interested to hear how you think people could do better.
With this understanding of the word, using the phrase "the internet mob" seems quite negatively loaded. Consider the context of companies harming their users in ways that may not be obvious to everyday people: I, for one, want people organizing to get the word out.
Companies are becoming more sterile and calculated, and perhaps statistically issuing an apology has no impact on user retention, but I for one am glad there is still some humanity to be found even if it's a hollow gesture.
Publicly taking responsibility and acknowledging mistakes can be a powerful tool in changing. Because of this apology, I will at least monitor Triplebyte's progress to see if significant structural changes are made to keep a decision like this from being made, instead of not even giving them a chance to gain back my trust. Their actions will tell whether this apology is genuine or not.
Users can still see that... and be worried about how they came to the inital decision.
None of that should influence if you do or don't apologize.
Just because it doesn't work for everybody doesn't make it not worth doing.
FWIW the apology doesn't do jack shit for me.
The dude has personally tried to pull fast ones on me. This is a fucked company since day one. I brushed it off, but when you keep up these patterns for years...jog on.
Can you clarify?
What holiday was that? I wasn't aware of any. In any case, I'd say Christmas is probably the biggest holiday, although it doesn't always fall on a weekend.
This past weekend was Memorial Day for those in the United States.
Personally, i appreciate the honesty from people, whether they mean it or not, it still takes some bit of honour and humbleness to openly admit your mistake. It's not an easy thing to do and i can appreciate the effort it takes to come out and just straight up say 'yeah i'm an idiot and i fucked up pretty bad.'
Plus, the way i look at it, you always have to remember, no matter how badly you fuck up, you're not that dude that fucked up the space station and caused a slow oxygen leak that had to be repaired with a risky space walk and even he was forgiven...probably.
ETA: Just to add to this as i've thought of it. Years ago, somebody i knew stole a few hundred dollars from me and disappeared. I thought i'd never hear from him again. A couple years later i got a random phonecall from him. He didn't have my money or anything, but he had the guts to call me and apologize and admit he'd just straight up ripped me off. I've never heard from him since and i'd never trust him again, but i respect the nerve it took for him to do that.
Do you suppose Ammon truely realises this plan was a totally unacceptable betrayal of his users, or that he admires and aspires to be Zuckerberg still?
No I doubt he truly realizes it. There's no way he can empathize or truly understand the needs and worries of people using his service. But, like I say, I respect and appreciate upfront admission of wrong doing. I don't think anyone should trust them.
Tryplebyte fucked up, anyone believing this shit wasn't intentional and planned to derive revenue from users during an obvious downtime is naive. The mistake was not realizing this was a horrible idea and continuing to such a ridiculous thing. They should be abandoned. But I respect the admission of the fuck upery.
Ammon has done this once. I think everyone deserves a second chance, and maybe even a third. Zuckerberg has had way more than that.
If they want to correct this mistake, turf the product manager or make a $25K donation to the EFF as an act of penance.
To put it much more politely than they deserve, this company is scum.
Perhaps he read that and took it to heart. Perhaps he read that and realized it would sound better if it seemed like he took it to heart. Perhaps after the monumental PR screw-up, they hired a PR professional that wrote the apology.
Who knows. Actions speak louder than words.
a) No one thought this was a bad idea, or
b) people who thought it was a bad idea didn't want to say it was a bad idea (why?), or
c) people who did say it was a bad idea were not listened to (feedback was not acted on).
That might be a good indicator that perhaps _they_ are the sort of people who might sensibly be trusted with job seeking personal information...
This email is full of sincere I statements. Whether it comes from reading your comment or just reflecting on the whole situation, this is about the best response I could have imagined a few days ago. It accepts responsibility, and shares the thinking and feeling behind getting so far from where they should be heading.
I don't have a TripleByte account at the moment, but if I did I'd be open to what they do next. A CEO who has made a major mistake and taken sincere responsibility for it in my eyes is more trustworthy than many who just haven't made their first major public mistake yet. I know we need to watch them carefully for a while, but this is about the best statement I could imagine Ammon and TripleByte putting out right now.
Doesn’t it show that I’ve properly reflected on how I could screw up like this so O can adjust my behavior in the future to avoid it?
An apology 100% does not need explanation or justification of why mistakes were made.
And if you're going to put those in, you 100% need them not to be "Our company is doing it really hard due to COVID, so we though we'd just {{monetise user data provided under strict expectations of total privacy}} "
People who beat their partners regularly say "look what you made me do!". Ammon just said "but I was going broke, I had to try this!"
Indeed I've learned this the hard way.
Having said all that, the above apology goes even farther in accepting personal blame than I would have expected... so I'd be slightly torn on this one if the cynic in me didn't know he was likely coached heavily in crafting it.
edit: A lot of people in this thread are naive to the nature of sociapaths....
https://news.ycombinator.com/newsguidelines.html
p.s. While I have you, could you please stop creating accounts for every few comments you post? We ban accounts that do that. This is also in the site guidelines. You needn't use your real name of course, but for HN to be a community, users need some identity for others to relate to. Otherwise we may as well have no usernames and no community, and that would be a different kind of forum. https://hn.algolia.com/?sort=byDate&dateRange=all&type=comme...
I don't mind being flagged though. This is a [YC invested] company that just exhibited another example of the valley libertarian "the rules don't apply to me as long as I make money [or I get caught]" mentality. And hey, if that's what his priority is, more power to him! I personally think "sociopath" is an accurate label for that group of people, but sure, we can use a different term. How about objectivist? :)
Thanks for responding so nicely about the accounts thing.
It's refreshing to see a real, detailed, apology. Just taking responsibility and owning each mistake of judgment or process along the way.
My opinion of these guys actually went up a notch over this debacle.
> They listened and that's what counts for me.
The fact is that they didn't listen. The ceo ammon was here on hn clearly not listening and clearly not apologising.
I would surmise that it's only due to a flood of account deletion requests that he started to notice... Add this proves one thing: on triplebyte you are the commodity and not the customer.
Although it's unlikely I'd have ever used them, because of this fiasco you can be sure I'll be warning people away from the platform entirely, heartfelt apology or no.
For my view to change he'll have to do a whole lot more than one email. He needs to change his way of thinking and one email is no way of proving that it's happened.
1. Actions speak louder than words. In this case, they are reversing what originally caused the outcry.
2. Did they look introspectively to try to really understand what made people mad in the first place. In this case I believe the CEO did.
If we don't ever accept sincere apologies, then we're left with a world where there is never an incentive to apologize and improve. Frankly, seeing a taste of this in US politics with politicians doubling down on their past mistakes even when confronted with all evidence to the contrary - this is not a path I'd prefer to go down further.
3. What steps the corporation took to prevent this issue from occurring in the future.
While a believe that the CEO is sorry, I can't consider the issue resolved without #3.
They want to make profiles pubic, like LinkedIn. The public profiles only contain subset of information from actual profile. Their FAQ page says that you can enable/disable sharing of your profile. They sent email to their users announcing the change and giving plenty of time to change settings.
I don't see how could they do better than that.
Synopsis IIRC: Dark paterns, requiring ID to close account, 30 days to close account (and they quietly cancel the request if you log in), only 7 days notice, no permanent opt-out.
So the real issue are those dark patterns, not that much making profiles public. If they would execute it right, I think majority of people wouldn't have problems with it.
He made the feature opt-out. He sent out the email on a Friday before Memorial Day weekend hoping no one would notice. He made the opt out button hard to find. He made the process of deleting accounts very hard, saying they required government ID and it would take 30 days.
He knew exactly what he was doing.
He made preparations for the blowback. That’s a fact otherwise he wouldn’t have taken these dark measures ahead of time. What he didn’t anticipate was getting caught and the level of vitriol he would receive.
He honestly thinks he is smarter than us. I think a person can go to the well only so many times before we have to assume they are insincere and lying.
It is too early to put trust in Triplebyte. The classic Silicon Valley playbook is to do something that crosses a boundary, get pushback, apologize, and later try again. Eventually it succeeds.
Examples:
- sharing all you financial transactions and passwords with a third party
- suppressing posts for reasons
- sharing private conversations with powerful parties
Wait and let Triplebyte prove itself with real actions instead of just talk.
That’s a very charitable analysis of the situation. For all we know, this decision was motivated by internal KPIs that immediately reflected what a disaster this was.
The whole situation reeks. Announcing on the Friday on a long weekend, the ceo defending it ardently in HN comments, the very deliberate decision to make it opt-in, the difficulty in disabling it. I mean, sure, this apology could be heartfelt. But that doesn’t mean it wasn’t a shady as hell thing to do, and a shady as hell way to do it.
There are really only two ways this happened:
A) The company’s culture and values are so maligned they actually, genuinely thought this was something that would excite users and go over well.
B) They were 100% aware that this move was ethically dubious (at best), but were willing to take the risk. This is the much more likely path when you take into consideration how exactly they went about it.
An apology can be heartfelt, but that doesn’t have anything to do with whether it undos the damage. And it can’t make people forget that TripleByte thought this was a good idea. That says so much more about the company and their integrity than any apology ever can.
First, this was not shady as hell. Shady as hell would be selling your data to a 3rd party and never telling you. Not-shady is building a feature, seeing negative feedback, and cancelling that feature.
It’s more than likely they had discussions and came to a decision through thoughtful discourse, rather than knowingly saying “fuck the user”.
I have been in meetings where everyone in the meeting though "doing X will have no impact on anyone so there is not need to notify", where I knew 100% they were wrong but none of my arguments landed, my final statement was "well if it is not significant then the email should not matter either so why not just send it out just in case."
These things do not happen in the vacuum, and while it is good the CEO is talking 100% of the blame, I can assure you the CEO had internal support and internal dissent for the feature.
Their culture and values have been much maligned, but you mean malignant. Please don't take this personally, it's just that it seems like this misuse of the word is going viral.
There have been similar incidents throughout tech history (and history in general) - it's not always that the culture is bad. It's also sometimes an honest mistake (at least, thinking through the ramifications of it is).
just a classical SV startup - "it's better to ask forgiveness than permission" . This time though we, SV tech, did it to ourselves and thus there are such loud and so many screams of pain - because it is our own pain.
His actions and response are consistent with behavior. It sounds much better to say "I didn't think through it" than "I knew it was bad and wanted to try it anyway."
Welcome to the new world of Cancel Culture, where no can ever be forgiven, excused or allowed to personally grow
The second you make a mistake will that should mean your life is over...
Society today is in a sorry state and I see no end in sight
Hiring is their business and such a complete misunderstanding of the system and subsequent tone deaf responses (up until today) really make you question the entire thing. Or their grasp of hiring in general. Even with the best intentions, does make you worry.
I liked the idea of the feature quite a lot. I'd love to be able to publish select Triplebyte info. It just needs to be something I can choose to do, rather than chosen for me.
Who has accessed the data already? Not only directly but indirectly as well? Have you received any compensation or settled any transactions by exposing the data?
> Nor in the critic let the man be lost
> Good-nature and good sense must ever join;
> To err is human, to forgive, divine.