Triplebyte now showing profiles by default without consent

255 points by windowshopping ↗ HN
I just got this email from Triplebyte:

Hey [name],

It’s been 12 months since you found the opportunity that’s right for for you on our platform. We hope things are going great!

We wanted to let you know that your profile is no longer hidden from companies on Triplebyte. Companies will be able to view your profile and reach out with opportunities through the platform.

If you’d like to maximize requests on Triplebyte, make sure your profile is up to date. We’ll use this information to match you with the best opportunities.

83 comments

[ 0.24 ms ] story [ 165 ms ] thread
Previously:

Tell HN: Interviewed with Triplebyte? Your profile is about to become public (12 months ago): https://news.ycombinator.com/item?id=23279837

Tell HN: Triplebyte reverses, emails apology (12 months ago): https://news.ycombinator.com/item?id=23303037

(How does one get the actual date and not just "12 months ago"?)

Yep, they're at it again. Did they learn nothing?
Probably their VCs wanted more MRR rather than more respect of privacy, and it translated to this.

Ultimately they are optimizing for profit, not (profit*ethics), and all of their actions will be guided by that optimization.

This was the echo of old bad decisions, not a new one. It wasn't intentional on our part, and we're working on a fix. (See my top level comment for more detail on what happened.)
The HN api includes the timestamp (unix time). For instance: https://hacker-news.firebaseio.com/v0/item/23279837.json?pri...
I wish all sites that do the “x units ago” thing would put the time stamp in a title attribute.
If any accessibility experts are reading, is there a best way to do this? E.g. title attribute is best for mouse users to hover on desktop, but is there a way that works for all users on devices? Maybe the abbr tag?

So far I haven't seen an html-only solution that works on mobile.

Not an accessibility or html expert, but in the AWS console you can switch between "x days ago" and exact timestamp by clicking/tapping the timestamp.
I've been developing my new website and use "x days ago" which is a feature of most date libraries like luxon or moment. I modeled what GitHub does where you can mouse over the text and it produces the actual timestamp. On mobile that doesn't work, so I print the date in disabled text.
Fortunately, about a year ago, I swapped all my profile info with random info a photos of some various randos who share my name.

This company started doing jerk things from the start.

They wouldn’t let me delete my profile, but fortunately let me change all my details.

I just followed your example. Even changed my email. Won't be able to log in again, but I can live with that loss.
Same here. Can’t log in any more.

I suppose it’s only a matter of time though until companies wise up and go through historical info and not just present values.

I’m assuming they still save previous values. But just hoping it’s not frequent enough for companies to bother.

In my case, I just didn’t want business associates browsing the info.

Using photos of someone who shares one's name seems like it could turn out bad for that person.

In some contexts of how info&photos are used, seems like it could constitute impersonating that person, and knowingly fabricating/asserting false information about them.

You could just grab an image from https://thispersondoesnotexist.com/
It’s funny, I’ve thought about it since then, but didn’t know about it at the time.

I changed the email address to something random and can no longer to adjust.

If I was trying to reset a profile in the future, I’d use this site.

Good point. I have a very common name and used multiple photos from different people, all with the same name. And the details on the account do not match the photos.

Perhaps it could be fabricating false info about them, but I’m not aware of that being a crime or even being prosecuted. And I’m not sure a reasonable person would link it to a particular individual.

You're thinking about effects in scenarios that are targeted, and human-in-the-loop?

There are also scenarios of automated, mass use of data from surveillance capitalism, where effectively adding incorrect information to these other people's various fusion profiles might affect them adversely.

Pre-Web, one of the concerns about databases of people was that individuals could harmed by incorrect information in databases. That was even before we knew that the computer industry would switch to widely doing things that we used to think were unethical.

(Regarding legality, I don't know whether the legal system has caught up with intentionally linking other people's identities to incorrect information, but I've heard there are concepts like "https://en.wikipedia.org/wiki/Defamation". But I think we're all concerned here with doing what's right.)

I appreciate the fighting back against a company abusing privacy, but our own industry situation is such a mess around this right now, that we have to be careful to avoid non-obvious collateral damage when we fight back.

(I'm just mentioning this for the benefit of HN discussion; I'm not criticizing an individual. These are tricky times, and we can figure this out together.)

I have used this strategy with websites that don't have a delete as well. Works great as far as I can tell.
Triplebyte has delete profile button, so easier to just do that. That email looks like old stale mail, because when I logged in it is very easy to change my profile’s visibility or delete it.
When I scrambled my info, the delete profile button took me to a page that said it would take 30 days to remove.

And this was when triplebyte first planned to make public in just a few days.

The whole point is that I don’t trust triplebyte to respect my visibility choices.

I just checked and my (unfinished) profile is still not visible. Weirdly, it says that it's not visible for the next 12 months, but I'm pretty sure it's been more than 12 months since I last logged in.

It also says my profile is not shareable yet, so maybe I just got lucky in that I bailed early. I did one quiz out of curiosity, and then locked down my account as much as possible after I found out a little more about the company's reputation and track record.

So I think that "next 12 months" thing is just a bug, and a user not finishing their profile is somehow an edge case that they didn't plan for. That's some pretty bad product work, but it fits the rest of the vibe the company gives off.

I'm hoping this is just a stale mail? It'd be weird to have the same discussion here all over again.

Everything the CEO mentioned last time is still applicable.

What's worse is I'm not sure we'll be able to collectively drum up enough outrage to get it reversed this time.

If this is true, I'm just going to delete Triplebyte and all things associated with it. If the practice becomes, "wait until theyve forgotten about it then try again." I dont trust them, and wont again.
The TLDR here is that one of last year's dark patterns was that you could only hide your profile for up to a year. We changed that immediately after last year's thread, and you can now hide it indefinitely, but we didn't retroactively apply that fix (which we'll do now). See top-level comment for more details.
Glad I deleted my account at the first sign of this sort of user-hostile behavior. Really a shame such a great and needed concept was ruined by poor execution.
I am deleting my account also. Why do they insist on doing this crap that really hurts their reputation?

Cmon. It's your users that helped you get the recruiting fees and put you on the map. Don't go around backstabbing us and disrespecting our privacy.

What's their business model? A pimp for software developers? Let me guess: their next move will be to nudge users with "Hey, a recruiter from X is really interested in your background! Based on our quick chat with them, they are willing to offer at least 500k. Please login to review their terms." and promptly demand state ID, bank statements and W2s to login. If the user is stupid enough to give that, they'll just say "sorry, the recruiter has moved on with another candidate, but here are other opportunities for you."
(comment deleted)
> What's their business model? A pimp for software developers?

No, but I wish someone would fill that role.

Though pimps are almost always just called "agents".

It is insane that they are going to do this again after all the outrage from the last time this leaked. What a shame that they are going down the dark patterns rabbithole. the service they offer on first brush looks useful from a developer's standpoint but these kinds of posts i've seen sour me on trying their service. a shame really.
Triplebyte are about interviewing and being middleman. This requires a certain churn rate.

So imagine that now you're employed but didn't get it from triplebyte, one day you get called into the bosses office: "We've noticed youre listed on triplebyte as seeking another position..." This may be detrimental if in fact you want to stay. Eg raises, bonuses.

Automatic listings to me are privacy violations.

Wouldn't it increase your odds of a raise/bonus, if you're valued by your current company?
Either could happen. Normally the choice to reveal this information is up to the employee, not some other company.
Not at many places. Your boss will generally try to hire someone in advance to cover for your departure. If you don't depart they may ask you to (fired). Fine if you were looking / interviewing, not great if you were not.
As a hiring manager, I find this hard to believe. It is so hard to find good talent, we would never push someone out over this.

In fact, I always encourage everyone on my teams to keep an eye out for opportunities. You never know when you will need them.

As a hiring manager, I find this hard to believe.

One doesn't have to participate in organizational tactics that favor replacing employees over negotiating the conditions that makes notions of loyalty an inherent trait of the workforce to at least acknowledge that there are questionable actors in positions of power in the employer/employee dynamic who aren't willing to make the emotional and capital investment in their people.

Brings to mind something I saw on someone's wall once "pay people well enough they'll never need to leave, and treat them well enough they'll never want to".

Our experiences aren't universal. I'm also a hiring manager, and I don't find it hard to believe at all. Very early in my career I gave two weeks notice to a job I worked at for four years, offering to train up a junior on the team. I was walked out the same day.

The part I found hard to believe is the idea that “not many places” would work to keep a good employee that was looking for work elsewhere. I don’t doubt that places exist that would immediately fire someone in this situation, I just find it hard to believe that is the majority of places.
"Not at many places" can mean most would but many wouldn't.
This one has a ton of complex incentives. As a manager it's expensive to invest in growing an employee and promoting them. This requires setting them up in the right projects, helping them navigate situations they weren't prepared for and ultimately risk if they prove unable to handle it/your promotion case wasn't strong enough.

It's only really worth the risk as a manager if people stay with the company for a significant period of time, at least long enough to make it through to promotion. If you see that someone may be looking, then you aren't going to invest in them and will focus on someone else in your team.

All this is balanced on the turnover rate of our industry at ~18 months to 3 years median tenure.

Hiring managers I think are often out of touch then with supervisors.

As a supervisor, you want to invest in folks who will be staying for the longer term - and doing what you can to reduce turnover (generally). There are also folks who like to job hop. If I'm supervising a team, and 9 of 10 have given me the sense they are staying, and one is on his way out the door - I'm focused on the team that is staying, finding additional capacity to cover if the guy walks, and definitely not investing much in guy walking out the door.

I think it is often a mistake to counter someone who is leaving. Stay on top of compensation, progression etc, and keep and reward the folks who stick it out with you.

Shouldn't I be in charge of that decision?
Varies a lot by manager, company, and culture. If they are determining raises and have enough for 3% per team member, allocating 6% to someone who is a flight risk is risky. If that person leaves, 3 people who got 2% raises are now getting paid less for a strategy that didn't pan out. As a manager, you may be able to get an out of cycle raise for them, or you might not.

If the other employees start looking for a job because of the low raise, you will have more positions to fill and more headaches trying to transition projects between people, reprioritizing, taking on additional work to fill in the gaps, training the new employees, etc.

anyone forget that triplebyte even existed?
This is what happens after you "snooze" your profile visibility for a set length of time. This is not a new feature.
Hi folks - I'm a PM at Triplebyte who recently inherited this part of our site.

You're absolutely right that this is a dark pattern, but it's not a current one - it's the echo of the dark pattern we screwed up on last year. If you hid your profile at the time, prior to last year's thread and our response to it, the maximum duration was one year (and yes, this was a really terrible idea among the other really-terrible-ideas that were called out at the time). But we changed that last year during our internal response. Hiding your profile indefinitely on our current site does in fact hide it indefinitely, and has ever since it was added as an option. (see https://imgur.com/n5e4CMB - and just to be clear this is my personal prod-testing account, not an actual person whose profile I screenshotted)

What happened here is that if you had hidden your profile just before we added the indefinite option, you were caught by the old dark pattern, which only let you hide it for up to a year. (And so, a year later, we're correctly informing you that it is now visible again.) We fixed the site at the time so that no one would newly be caught in this pattern, but what we failed to do was retroactively change the setting for people who'd selected 'one year' prior to that point.

This was a genuine oversight, and we'll fix it. I need to speak to our engineering team to make sure we can actually do so, but my immediate plan is to effectively just make the indefinite hiding retroactive by assuming anyone who set it to the max last year wanted that. In any case, it will get fixed one way or another - I was as pissed as anyone here by last year's events and have no intention of leaving y'all high and dry.

This has got to be one of the best mea culpas I've seen in a long, long time. If anyone internal gives you heat, you can tell them that, for this current non-client, it's actually moved Tripplebyte from "never in a million years" to "hmm, maybe I'll look into them." Being brutally honest makes the difference.
This actually definitely moved it to "not in a million years" for me. What kind of clown show engineering team makes this kind of oversight? They knew there were profiles that would be part of the old 12-month delay feature (and if they didn't know about this feature that also speaks volumes about their internal knowledge of their own product) and neglected to fix it or notify them about their new options. What else are they neglecting?

This is not a weird edge case or a nobody-could-have-caught this. This should have been obvious and come up immediately in the "how are we thoroughly addressing this dark pattern" root-cause.

This is something that can happen even if everybody is aware of the problem. We don't know what their internal structure looks like, but in enough places I've worked, if something like this would happen, it would be clear that something needs to be done, but it would also be everybody thinking it's someone else's responsibility to do it, so the end result is that it doesn't get done until someone notices the problem again after it should have already been addressed. That's bad, but not "not in a million years" bad, in my opinion.
The question is more like 'clown show, or evil clown show?'

If you think the former is uniquely horrible, you've not run into the latter :)

The world is much worse if we don't let people correct their mistakes.
This now marks the 2nd time we are "letting" this company fix the same mistake, and it gets harder to assume good faith when the same issue crops up repeatedly.

Calling out poor engineering is not prohibiting them from fixing it. It's calling the bluff on "oopsie woopsie a privacy issue again, silly us," for a company whose primary KPI is public profile engagement. The more things like this happen, the less they look like mistakes.

> The more things like this happen, the less they look like mistakes.

That's a fallacy and being kind to humans is hard.

It's taken me a long time to understand this, but sometimes the single mistake is something that leads to a cavalcade of mistakes. That could be putting a burned out person in the review pipeline who greenlights everything, it could be an overzealous engineer trying to make a name for themselves with retention and engagement, etc...

As pointed out earlier, we do need to let people make mistakes, and often their paths will appear to be non-linear. I struggle with this too, but a world that doesn't understand that is much worse.

(comment deleted)
(comment deleted)
'What kind of clown show engineering team makes this kind of oversight?'

either you've never worked at a company or you've only worked at one or two places, and they had astoundingly high standards for successful collaboration. what were they, because now i want to apply to work there.

It's news to me that fully fixing a bug constitutes an "astoundingly high standard for successful collaboration." I consider that a baseline expectation, across my 14 years and 5 different companies of industry experience.

I stand by my point that this is a symptom of amateur hour engineering.

Seriously, can you list those 5 companies? Because where I am currently at, this level of ineptitude is something to aspire to.
Awesome. Would you mind answering the question posed above you? I’m definitely curious myself.
Fully fixing every bug constitutes an astoundingly high standard for successful collaboration. Every place I've worked fully fixed some bugs, after all. You'd think that massive company-threatening bugs that result in damage control to the press would be different, and they are, but often not in a way that makes them more likely to be fully fixed.

I note that you seem to have ignored my question entirely, in what I can only characterize as mean-spirited discourtesy.

It's the one bug involved in a huge outrage and a statement from the CEO. It's the one bug that they announced publicly that they fixed, despite absolutely knowing that they didn't. So yeah, just one bug.

(Nothing against this PM, btw. But what a bunch of incompetence from the CEO)

Looking at the public bug tracker of any mildly large company teaches me that fully fixing a bug just isn’t a thing they do.
I feel like you either haven't worked at many early startups, or there is a bit of a double standard here.
This is a good response. Your CEO should read it and learn from it - as far as I recall his handling of the response to the incident last year was nothing short of abysmal.
(comment deleted)
After this reminder, I remembered his initial response. https://news.ycombinator.com/item?id=23280137

He's since walked that back a bit (see other comments in his profile) , but personally I tend not to give someone the benefit of the doubt after they get shit on for such a terrible response.

(As a somewhat related note, people I know who have tried sourcing through Triplebyte were unimpressed with their candidates. No personal experience myself. I'm also told their cringey reddit ads had really good conversion, which feeds a narrative I'd be happy to believe.)

Having been sourced through Triplebyte (or rather, not sourced through Triplebyte by any company at all), I’m inclined to agree.
What is your plan to prevent things similar to this of happening in the future?
Well, in this case it mostly didn't happen in the future - most of it happened last May. Our failure to catch it recently was a mistake, but the root error was building it that way in the first place. Still, I take your point.

After last year's snafu, we had a company-wide retro to discuss what had happened. It lasted a couple of hours, during which several people (including myself) were pretty blunt about what we thought. I don't want to get into a complete postmortem here, if only because it would make this post require ten paragraphs of niche internal culture context, but the biggest problem was that we had an internal communication breakdown. Many people who were uncomfortable with what we were doing, and who could have predicted the public response, did not feel empowered to speak up about it. Not in the sense that they'd face backlash for doing so, but in the sense that they felt they'd be ignored. This was less true than they thought - had they all spoken up at once, it probably would have made a difference - but more true than it should have been.

Since then, a number of people within Triplebyte (including Ammon, but also myself and various others) have made an effort to create space for those kinds of concerns.

One of our defining traits as an organization is that we're very good at creating coherent internal narratives. Everyone knows what we're doing and why. But the flip side of that is that in the effort to create clarity, we sometimes run over inconvenient details like "wait isn't that a terrible idea". That means that to avoid problems like last year's, we need to be explicit and deliberate in actively seeking out dissent about what we're doing, especially from people who are not the very assertive strong personalities that tend to show up in leadership. That doesn't mean that dissent is always right - strategic decisions are difficult and complicated, people do sometimes lack the visibility to see why they're made, and in a room of fifty people there's always going to be some disagreement - but it costs us very little to listen to it and (as we learned last year) can cost us dearly when we don't.

(Actually, as I was preparing to submit this post, one of our engineering leads pinged me on Slack to suggest ways we could avoid mistakes of the kind that spawned this thread - TLDR, build less automated shit that we can forget about until it bites us.)

I realize this reply is a little bit nonspecific ("make space for"? what does that even mean?), but that's the nature of solving a culture problem. You're necessarily wrestling with subtle cues and unspoken assumptions rather than with a thing where you can go "ah, yes, we just need to change step 2a of our product development process". But for what it's worth, I think we've gotten better about making sure we consider how people feel about what we're doing, and we've avoided some potential bad decisions in the year since then as a result.

I for one, submitter of this thread, really appreciate your transparency and candidness.
This post is really, really refreshing to read. As a startup founder I empathize deeply with how difficult it is to "actively seek out dissent." Product pipelines move quickly, teams need to feel they can have initiative to deploy things independently from the rest of the org, as a cross-team leader it's unhealthy to squash that initiative... but at the same time you need to set boundaries about when something needs consensus.

IMO this is why it's vital to have Core Principles at a company (in this case, "user trust" might be a reasonable wording), both at a product level and a meta level, about how the world needs to see the company and the company needs to see itself. And when any employee, no matter where, feels something might breach Core Principles, it should be a five alarm fire that the C suite should know about and react to (or delegate said reaction), and if it turns out to be a misunderstanding, that employee should not feel they expended any political capital in escalating their concerns - at worst they might just require more context about why something is either a non-issue or necessary (which in this specific case doesn't apply), and leadership should be excited to see them growing by asking those questions. Ideally, it's as easy and low-risk as submitting an internal bug report.

Of course, I can imagine this stops scaling at some point. FAANG need very different approaches to this problem, and that's probably an entire business school class to answer. But I feel any smaller organization with a focused product can move in this direction!

If the feature was only added after the backlash when everyone scrambled to hide their profiles, it amounts to nothing more than a “let’s try again next year”. A very convenient “honest mistake”.

If that’s not the case, can you share the percentage of profiles that will be turned public as of now?

As of now, none. We disabled the job that would re-enable profiles at the end of that snooze period until we have a more permanent fix.
Still waiting for TripleByte to allow people with hearing loss to be able to be the ones to make the call for an interview.

Has to do with Federal Relay Services where we can shop for an interpreter that can actually talk the talk (computer lingos).

Despite acing the lower (backend) system engineering question, I feel that this has been a standstill in getting to work for Google.

Also default dark pattern impacted me as well.

I don’t think Google uses triple byte? just apply directly instead.
In my experience, companies with poor security or privacy culture will tend to continue to make these kinds of missteps, again and again. Because it's not just one PM or engineer or executive, it's the company environment.

Companies with good culture will still make mistakes -- be it violating users' trust or suffering a breach -- we are all human. But there won't be a pattern of them.

In this case, it seems like a pattern for Triplebyte.

This is the same as the adage which goes something like:

Why would you expect someone who has demonstrated a complete lack of empathy to suddenly do so?

Which is why most people should probably leave toxic bosses, workplaces, as not be a user of the services they provide.

Someone should compile a list.

(comment deleted)
Gentlemen and women, let me warn all of your folks. Do not leave your real names on triplebyte, karat.io, hacker rank, leetcode and any other website precisely because of nonsense like that.

Also, on karat.io, the T&C are pretty much against you. Here is what their site reads.

Karat may (a) record you and your Interview in any format, including video or audio; (b) disclose the Interview and a recording and/or a transcript thereof to Company; and (c) use all Interview content and data, including your name, likeness, and voice, for its own internal purposes.

*Karat owns* all rights, title, and interest in the Interview and any works derived therefrom, including all copyright, and you hereby assign, transfer, and convey to Karat any and all rights you may have in the Interview.

*You waive and release Karat from any and all claims or other liability for any loss, harm, damages, or expenses * arising out of your participation in and any use of the Interview authorized under this Agreement, including without limitation any such claims alleging or arising as the result of Karat's negligence or Company's use of the Interview.

No sane person should be using these platforms.