32 comments

[ 2.8 ms ] story [ 49.2 ms ] thread
I have to say I was skeptical of EffectCheck until I saw this post. While it's certainly opportunistic in taking advantage of the Dropbox PR situation, it's also a great case study that shows the value of their technology.
Be that as it may, I do however sincerely hope that widespread adoption of their technology will not lead to PR being even more bloated and filled with meaningless feel-good phrases and buzz-words. I, for one, appreciate concise, straightforward PR (which might sound oxymoronic).
I don't understand what you see in this technology. It doesn't take a genius — or a computer for that matter — to figure out that the post was emotionally tone deaf.

The axes used by EffectCheck don't make sense to me. For example, can a post simultaneously score highly in "anxiety" and "confidence"? Aren't these opposites?

As a designer and programmer — Don Norman's newest article for Core77[1] got me thinking about this — I am a bit quick to roll my eyes when I see the powerful visuals ("Oh, a chart!") deployed to trivial ends (a relatively simple Bayesian classifier?), and EffectCheck has the hallmarks of something as unsophisticated as ELIZA[2] or the Myers-Briggs personality test.

[1] http://news.ycombinator.com/item?id=2679720

[2] http://en.wikipedia.org/wiki/ELIZA

> For example, can a post simultaneously score highly in "anxiety" and "confidence"? Aren't these opposites?

Indeed they are opposites. People can hold many dual emotions simultaneously-- love and hate, belief and doubt, etc.

> can a post simultaneously score highly in "anxiety" and "confidence"?

"I'm absolutely utterly sure that climate change is real; we are all going to die in two years! PANIC!"

While some of these metrics are interesting, I completely disagree with the conclusion of this article. Ferdowski's word choice is not the issue here. The issue is how he went about delivering the news. Had he promptly emailed his userbase immediately after fixing the bug, I think there would have been significantly less backlash.
Agreed.

Your users should not find out about these things via HN (or any other news site).

At this point, I don't think I can trust Dropbox with anything remotely valuable or private, and I bet I'm not the only person who feels this way.

I guess it's because I'm an engineer that I appreciate understanding exactly what happened, and can tell he understands this is a big mistake.

"This should never have happened. We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again."

How is that not clear enough? All of the criticism is either unfounded (saying they need PR doesn't explain the problem) or minimal in nature (not saying the word "sorry" when explaining an outage).

It's not clear enough, because people that don't frequent HN, Techcrunch, and the like, still haven't heard about this lapse. No email was sent out, and I doubt there's one coming. Had someone not noticed something was up yesterday and not made a stink about it, we wouldn't even have this message to read.

The message is fine. The venue is wrong.

I totally agree, an email would be much better than a blog post. Or a message you see when you login, which could also help you check your access logs in these 4 hours.
I received the following from Drop box late last night:

We are writing to let you know that there was some activity in your Dropbox account that we'd like you to review. On June 19, 2011, there was a brief bug with our authentication system that could have allowed unauthorized access to accounts. You can read more about it at our blog post linked here.

Based on a careful review of our records, we noticed that your account settings page was accessed during the time the bug was in effect. While it's unlikely, we'd like to be cautious and make sure this was you because if the activity was unauthorized, the information in your account could have been improperly accessed. Please review recent activity in your account, which you can view at http://www.dropbox.com/events, and let us know if you find anything suspicious.

We noticed that during the time the bug was in effect you also:

Logged into the Dropbox website Linked the desktop application to your Dropbox

As a precautionary measure, we logged you out of the website and disabled any apps.

We are very sorry and this should never have happened. We are scrutinizing our controls and will be implementing additional safeguards to prevent this from happening again. If you're not able to access your account or have any other questions or concerns, please contact us at support@dropbox.com.

I don't know what else they are supposed to do. They should have never screwed this up to begin with, but grandted that they did I think they've responded just fine.

IMHO All the moaning about how they've handled this is just a bunch of baloney. If a company spokesperson speaks out of both sides of their mouth, people cry for honesty. When a company is blunt and honest, they need to hire a PR person. I wonder how many people on these threads are 'PR' people.

You've created a false dichotomy here. You don't need PR to have empathy or accountability – just a sense of humility. You can still be completely blunt. If the blog post had ended with:

"We fucked up. Not cool. We're going to work hard to prevent these things in the future and earn your trust."

Then the tone of the response would have been very different. That email was pretty good – they should have said something closer to that in their blog, too.

> The message is fine. The venue is wrong.

bingo. they needed a message that was easily understandable and relatable by all clients. there's nothing inherently wrong about the post and would've been a good status update or part of a post mortem, but not the entire PR statement of the company about the incident.

> All of the criticism is [...] minimal in nature (not saying the word "sorry" when explaining an outage).

I can't disagree with this sentiment enough.

The word "sorry" isn't about being nice – it's about being accountable. What we're seeing here is a second lapse in Dropbox's security – a hard problem! – but little acknowledgement that hey, this really isn't okay, these files are important to users, and this is a breach of trust that needs to be remedied.

Moreover, this isn't an outage as in "boy, wish I could access my dropbox." This is a security outage as in "boy, wish the entire world couldn't access my Dropbox." The period of time, the cause, the impact is, in the end, immaterial to the outcome of breached trust.

So when we fuck up, as grownups, we take a moment to acknowledge it, explain the cause, and express how much we value the trust we've been given. The alternative is to leave the impression that trust is taken for granted. Which, in this case, it sure as hell feels like it is because Dropbox is doing nothing to dissuade that impression.

These are good guys with a great product that makes a lot of people's lives better. They just need to be accountable for their shit – that's all people are asking for here. Perfection is impossible but being good in your relationships with users is something anyone can do with a little empathy.

as the parent post your replied to already quoted

"This should never have happened. We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again."

this is absolutely unarguably taking full accountability.

It's not clear because it does not explain what happened and why it will never again.

Users expect something like "There was a solar eclipse that caused a bit flip on our login server which caused strcmp to give the wrong result ...". We expect an explanation of why it happened and why it will never again happen, and "lulz sry" is not very confidence inspiring.

The security hole was an egregious error on the part of Dropbox, but the text of the CTO's response seems right on the money to me. Should "EffectCheck" be renamed "DumbDown?"
I don't think there's anything wrong with the message from Arash. They made a fix in 5 minutes and clearly say how they will be working to prevent this in the future. I think the best way to handle such thing is to be honest about it as they did.

They also don't give an example of what might be a better way. It's easy to say things are wrong. And I'm not sure if their data is an indication of anything. Ok people react with anxiety (or the analysis of their comments suggests this). But wouldn't you suspect that people don't react happy if their data could've been stolen? You should measure if people would trust dropbox again in the long run.

Also, let's keep things in perspective. It took Sony days/weeks (?) to admit the problems with their network. This is a) honest and b) reasonably timely.

Wether or not one agrees or disagrees with the actual technical setup of Dropbox is a separate question altogether.

The problem is that the message doesn't make anyone feel better. They apologized for the problem, but i still wonder if Dropbox fails open. If their login servers go down for a few minutes or get DoSed, can anyone access my account?

That doesn't leave a warm fuzzy feeling for storing my important personal information with Dropbox. It also makes me wonder; why didn't they clarify what the problem was? Are they hiding a big vulnerability?

Meta comment - this article was originally submitted 7 hours ago (http://news.ycombinator.com/item?id=2678163). The article was then submitted a second time just recently with an alias url '/?p=291', presumably with the proper voting rings in place. Is this an accepted tactic for promoting articles on HN?
They seem to jump on any chance to promote their technology. Very aggressive and annoying marketing. If the articles had any meat to them, I'd nod and move on, but this seems just a cheap plug.

My BS-meter went way up, when I scrolled down and saw the charts that conveniently "verified" the sentiment on Hacker News. I hope they don't think I typed this message, because I am depressed and lack compassion.

More meta: at this point I have no reason to see their measurements as anything other than hocus-pocus. What I've read of their description of it so far has amounted to classifying words -- context-free -- as "anxious" words, "depressed" words, and so on, and then simply counting their occurrence in text.

I would be hugely surprised if that actually gave reliable results! Human languages are hugely nuanced and context is a key part of interpreting mood in text, and even humans fail often at that. People often express surprise, for example, at pg's personality in person or in televised events, because his comments often seem (as one person put it) "Vulcan".

I'm starting to try to think of ways to thoroughly debunk their method, mostly because I'm curious if it would actually stand up.

Another meta comment :)

The bar charts in the article would have been much easier to read if the horizontal axis would start at "typical". That way low would be seen as negative, while high would be seen as positive.

"The article was then submitted a second time just recently with an alias url '/?p=291'" -- yes

"presumably with the proper voting rings in place" -- [citation, etc]

I doubt there were voting rings. Rather they probably just thought to give it another go. I can say that I'm honestly surprised about what drops off of "new" with just two or three votes, compared to some of what is on the front page. I can't help but believe that if some of this content was resubmitted, it would do much better.
(comment deleted)
I agree that an email should have gone out (instead of just a blog post), but it's not at all clear to me what is wrong with Ferdowski's message. This blog post contains lots of shiny graphs but doesn't explain in any capacity what was wrong with the statement. Changing the color of words is not a cogent explanation.
> However, the announcement by CTO Arash Ferdowsi has received an especially negative response. This post presents an EffectCheck analysis of Ferdowsi’s statement and the reaction of the audience.

No it doesn't present the reaction of the audience. It shows the reaction of a specific audience (i.e. HackerNews) - which is a very specific demographic. I love HackerNews like the next person, but people on here need to realize there is a whole big world out there that wears a different pair of glasses...and don't sport neck beards.

The depression and anxiety scores are complete fabrications. Why is this nonsense voted up so high? Also, some of the comments smell of astroturfing.
I don't understand what was so bad about the announcement. They made a mistake, they took steps to fix it. That's what the announcement said, and that's all it needed to say. I don't expect companies to come groveling to me, begging for my forgiveness for making a mistake with the service they're offering me for free.
All this dropbox security stuff is easily solved with truecrypt. I don't know why anyone was assuming that the service was secure to start with, these things never are.

EDIT: I too detect the pungent stench of imitation lawns.