Hacker News new | past | comments | ask | show | jobs | submit login
Tell HN: Interviewed with Triplebyte? Your profile is about to become public
1437 points by winston_smith 1 day ago | hide | past | web | favorite | 554 comments
Fortunately this email made it through my spam filter. Looks like they want to take on LinkedIn and are planning to seed it by making existing accounts public unless you opt OUT within the next week:

Hey [redacted],

I’m excited to announce that we are expanding the reach of your Triplebyte profile. Now, you can use your Triplebyte credentials on and off the platform. Just like LinkedIn, your profile will be publicly accessible with a dedicated URL that you can share anywhere (job applications, LinkedIn, GitHub, etc). When you do well on a Triplebyte assessment, your profile will showcase that achievement (we won’t show your scores publicly). Unlike LinkedIn, we aim to become your digital engineering skills resume — a credential based on actual skills, not pedigree.

The new profiles will be launching publicly in 1 week. This is a great opportunity to update your profile with your latest experience and preferences. You can edit your profile privacy settings to not appear in public search engines at any time.

Our mission is to build an open, valuable, and skills-based credential for all engineers. We believe that allowing Triplebyte engineers to publicly share their profiles and skills-based credentials will accelerate this mission.

Thanks,

Ammon Co-founder & CEO, Triplebyte






Assume for a moment I'm a bad-faith, nosy employer who reads HN on a Saturday morning. All it takes for me to match up my little stack of current employee's resumes is a person's city of residence, skills, and employment dates. If I'm that kind of employer, that's enough to raise my red flags. If prior employers are named outright, that's a 100% ID. If employment dates are paired with employment location, that's a 100% ID.

I've known employers like this. I've worked for employers like this. Employers are already monitoring social media. Third party services are paid by employers to monitor for staff that might be looking at other jobs. Recruiters make it their mission to know who's looking and what employers are likely to need their services in the near future. This is much of why trust and discretion is the most important asset on both sides of hiring related activities.

Triplebyte burning down their reputation as a recruitment avenue is one thing. Locking job searchers into reputation and livelihood risks inside Triplebyte's own reputation dumpster fire, on the friday before a holiday weekend, during historic unemployment levels, in the middle of a fucking pandemic, is unforgivable. The CEO showing up in person with hamfisted gaslighting (seriously?) in the middle of this self made disaster makes me hope those comments don't get flagged out of future HN search results.


At the moment of writing I had to go to page 3 of the comments to find the CEO's response:

https://news.ycombinator.com/item?id=23280120

Piggybacking on this comment and linking here so people can more easily see how completely tone-deaf it was.

More from his comment history here:

https://news.ycombinator.com/threads?id=ammon


what most annoyed me about the response was that this criticism:

> making a profile public meant making public that people were job searching

was repeatedly met with this response:

> we're not making any profile details public.

Which avoided what people were upset about. It's talking past the issue and I'm not sure what the expected outcome was, either from this original screw-up or the response.


That’s because people use downvotes as disagreement, when they should be upvoting to make sure it stays visible.

> those comments don't get flagged out of future HN search results.

Triplebyte is a YC company and HN is a YC site, so economic interests are aligned with nuking highly critical comments


That's a natural assumption, but if you think a step further it's not hard to see why it's false: you shouldn't optimize for local optima, especially if doing that would ruin your global optimum. When you have a goose that lays golden eggs, don't risk the goose for an egg.

YC's economic interest in HN is having it be a happy, thriving community. That dominates all other considerations put together. A fast way to ruin that would be to destroy the community's good faith by suppressing negative posts about YC or YC startups. In addition to being wrong (we wouldn't want to belong to such a community ourselves), it would be dumb. If anyone wants more explanation there are posts about HN vis-à-vis YC's business interests going back years: https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu.... See also https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que..., which describes the simple way we try to optimize this (simple in principle, though not in execution). And see https://blog.ycombinator.com/two-hn-announcements/ from 2015 about HN's editorial independence.

(Edit—because I've been wanting to write about this for some time and this may as well be the place:)

The above is the answer I always give to questions of how HN serves YC's business, because it's true and it's solid economics. It's the right answer to give to anyone who's looking at the question through a cynical economic lens (as we all have been trained to do) since the answer is, basically, "we can be even more cynically self-interested by not doing that".

However, I also always feel a little bad after giving that answer because it's not the deeper truth. The deeper truth is that we just feel this way. HN and YC grew up together. In a way they are siblings, and one doesn't exploit one's sibling. Or, to switch metaphors: because HN and YC grew together, the connections between them are complex and organic, like the connections between brain hemispheres. If you get in there and start snipping and moving things around, you're likely to end up with a self-lobotomy.

If you want a hard-nosed business reason for how HN makes money for YC, one is: it leads to people starting startups that wouldn't otherwise exist, and it leads to YC funding startups that it wouldn't otherwise get to fund. That's how HN adds to YC's core business (edit: but see [1] below). I use that reasoning to explain to people why we don't need to sell ads on HN or do other things to monetize it or drive growth. Again, though, it doesn't capture how I (and I think most at YC) really think and feel about HN. The deeper truth is the two have always been together and we can't imagine them otherwise.

In other words, the value of HN to YC is intangible. That affects how we operate HN. If the value were tangible, then snipping things and moving them around and generally being bustling and managerial would probably be the way to go, or at least the most likely thing that people inside a business would do. But since it's intangible, all that kind of thing gets supplanted by a general feeling of "this is good, don't fuck it up". Since the main indicator of whether we're fucking it up or not is the community, it follows that the way HN can most add value to YC is by keeping the community happy. Happiness means two things here: interest (because HN is supposed to be interesting) and trust (because a community can't exist without trust).

This is not a mystical paradise that will last forever—it's a historical accident that an internet forum ended up in a sweet spot vis-à-vis the company that owns it, where the business is better off optimizing for the forum being good and happy than by banner ads or growth hacking. But we all know that it's an honor to get to be stewards of a community in that way, and while nothing lasts forever, we want to keep it going as long as possible, and maybe longer than anyone would have thought possible.

[1] edit: for some reason I forgot to mention the three formal things that HN also gives to YC: job ads for YC startups, Launch HN posts for YC startups, and displaying YC founder usernames in orange to other YC founders. See https://news.ycombinator.com/item?id=23293437 for more.


It's clear to see that you (all) have kept HN as good as it is over all these years, not for cynical economic reasons, but because it's right. It's right for the HN community and, given HN's somewhat unique position, maybe we can even say it's right for the larger society.

I'm sure that over the years there have been countless opportunities to ruin the community for short term gain, and because the right decisions were made, the community will in most cases never know or appreciate the choice. The only evidence is that HN is still here, and hasn't been trampled down by the armies of mammon even when so many other internet communities have been.

Sometimes you have to protect a goose, even at cost, just because it's a happy goose and it's alive.

It's rare in a place where so many think they are being hard-nosed little economists (though actually merely joining the chorus of short-sighted armchair bean-counters) to admit that you did something without needing any economic justification.


(Because a simple upvote wouldn't do this comment justice)

I think it's a really, really great response. YC community is indeed very special, and I am often surprised that over these years, it keep attracting high caliber people and has a high signal/noise ratio, while at the same time remains a pleasant community that favors civilized discussion.

Moderating is a thankless job, but please rest assured that many people here value your efforts, even if we don't verbalize this gratitude often.


While I have a handful of YC friends and certainly admire a lot of the YC higher-ups, I will say for me and my co-founder, it was probably more HN that caused us to apply to YCS19 than anything else. Meeting PG/PB was icing on the cake, not the impetus. Thanks for all your hard work on HN - it's a really wonderful piece of the net!

You need to get a new SSL certificate for erulabs.com

Thanks for the reminder!!

Great explanation! I’m surprised you didn’t mention the two reasons I always thought YC pays for my news:

1) YC company friendly marketing channel. Reasonably good posts from YC companies get upvotes here, which means eyeballs and potential customers or users.

2) YC company recruiting channel. Related to above, since many posts end in “we’re hiring”, but there’s also the explicit time-decaying recruiting posts that show up on the front page.

Are these not concerns? Or just secondary to increasing startup formation generally?


Not so much #1. It's true that YC companies get attention on HN, but they have to struggle for it like anyone else (not counting the Launch HN posts - see below). We help them sometimes, but we help non-YC startups too, and the question is always what the community will find interesting. I don't doubt that YC startups probably have an edge on HN, but if so, it's for more subtle reasons (e.g. the fact that YC alumni have always been a core part of the community).

Definitely #2. The job ads that appear on the front page are only for YC startups, and that's one of three formal ways that HN gives back to YC in exchange for funding it. The other two are that YC startups get to do a Launch HN post, which gets placed on the front page (see https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu...), and YC alumni usernames are displayed in orange to other YC alumni. For some reason I always forget to mention these things when writing on the above topic, I guess because I don't think they add up to the biggest thing, even though they're significant. In my mind the big thing is the connection to startups forming and applying to YC. However, no one has ever tried to measure these things, and I'd feel a bit queasy about doing so. It would feel like stepping out of the magic circle in a fairy tale. One should not step out of the magic circle.


> When you have a goose that lays golden eggs, you don't risk the goose for an egg.

I would agree that you shouldn't, but all too often we see companies do.


Ok, I've edited out the "you" in "you don't" to remove that ambiguity.

More interestingly: do you have examples in mind?


> economic interests are aligned with nuking highly critical comments

This is theoretically true, but the fact that it's been on the home page for 12 hours and has accumulated hundreds of critical comments, none of which any mod has touched, seems to (a) eliminate that possibility and (b) demonstrate that the risk is theoretical, not actual.

(Keep in mind that YC has thousands of investments, so whatever you think of their ethics or the incentives, a filter like this would be impractical and obvious. Also see "Not behaving in a way that damages the reputation of his/her company" on https://www.ycombinator.com/ethics/ - it's hard to imagine YC supporting this.)


In fact the only (public) mod action was to put it back on the homepage after it tripped the flamewar detector and fell off.

This thread rose to the top group of the front page last night (you can see I posted here then, I happened to see it). Then it sunk quickly and disappeared. I was a little dismayed because the cynic in me was thinking along the lines of it being removed for being antithetical to YC company success. I went to bed.

To my surprise, it was back up near the top this morning with almost a thousand votes and hundreds of comments. TripleByte may have chosen to burn their reputation irreparably, but I have gained a lot of faith in YC and the mods here.


It fell because of a software penalty called the flamewar detector. We review posts that get that penalty because there are often false positives. I saw it on the list last night and restored it (https://news.ycombinator.com/item?id=23280488). That was the only action any moderator took on the post. I'm glad I saw it quickly enough, because there would have been a nightmare of a flamewar about us 'suppressing' the post if we had missed this, when in reality it would just have been an accident of timing.

That raises the obvious question of why we have such software if it causes such problems, but the answer is simply that it helps more than it hurts, overall.


Hi dang, sent you an email about this, but perhaps it would be useful to include a page on HN recording "recent moderator actions". This could make the process more transparent for users and help them understand your actions (rather than producing conspiracy theories every week).

The question is whether that would raise more objections and protests than it would answer. Almost everything we do is defensible to the community, because if it weren't, we wouldn't do it in the first place. (I say 'almost' because we make wrong guesses, but then we're happy to admit mistakes and fix them.) That doesn't mean it's all self-explanatory, though. On the contrary, it can take a long time to explain because there are many complexities, tradeoffs, and non-obvious aspects.

Meta threads and discussions tend to invite objections from the litigious type of user. Such users are rarely satisfied, but they tend to have a ton of energy for meta argument, so it's easy to get into a situation where any answer you give leads to two or three fresh objections. Such objections have to be answered with great care, because if you slip up and say the wrong thing, people will use it to start an online mob against you (edit: not to mention they will quote it against you for years to come). This consumes enormous mental and emotional energy. (Edit: by the way, this is asymmetrical: the people raising objections and making accusations are under no such restriction. They can say anything without downside, no matter how false it is or what they accuse you of. They can make things up with impunity and people will believe them by default, because on the internet you are guilty until proven innocent, plus everyone loves the underdog. These are additional reasons why it's easy to end up in a situation where every comment you spend an hour painstakingly composing earns you a bunch more counterarguments and demands.) These arguments tend to be repetitive, so you find yourself having to say the same things and defend against the same attacks and false accusations over and over. This is discouraging, and there's a high risk of burnout. Disgruntled users are a tiny minority, but there are more than enough of them to overwhelm our scarce resources.

I fear this outcome, so we've always shied away from adding such a system. We do want to be transparent, and we answer whatever questions people ask, but it feels safer to do it ad hoc as questions come up. There's no specific question you can't get an answer to, other than a few special cases like how HN's anti-abuse software works.

There's an opportunity cost issue too. The vast majority of the community is pretty happy with how we do things—I know that because if they weren't, we'd never hear the end of it, and then we'd say sorry and readjust until they were. I think it makes more sense to do things to keep the bulk of the community happy, or make them happier, than to pour potentially all our resources into placating a small minority—especially since, once you've done this job for a while (say, a week) you know that nothing you do will ever be completely right or please everyone.

On the other hand, if I could ever be persuaded that a full moderation log would satisfy everyone's curiosity and reduce the overhead of misinterpretation, complaints, imagined malfeasance, etc., then we'd be happy to do it.

This question has come up repeatedly, so if you're curious to read previous answers, see https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que....


I first want to express my gratitude for your thoughtful reply, and more generally your willingness to consistently engage with the HN community with both reason and compassion. I have no doubt you have the HN community's best interests at heart - there is simply legitimate disagreement about how best to accomplish that. Your cooperative communication style undoubtedly goes a long way in allaying the community's concerns. So, great job on that front.

I agree with you that any community faces the problem of a vocal, critical, and nearly insurgent minority. They seek to identify contradictions in your logic with the predominantly self-interested goal of demonstrating intellectual superiority rather than finding genuine solutions. I can understand the emotional burden of continually sparring with such individuals. You can't please everyone.

In contrast, there is the silent majority. By virtue of their silence, it would appear they condone current management of the site. I am not sure this can be assumed.

First, it is generally the "first movers" of a given activity who are both the first to try it, but also the first to defect. For example, there are people who are passionate about Microsoft or Apple products and review them publicly. When they stop reviewing these products, it is indicative of a lack of passion; they have moved on. The majority soon follows, just like they did when the first movers initially promoted the activity. In this way, the first mover is the proverbial canary in the coal mine. Are HN's vocal critics really first movers? The ones who are thoughtful, at least, are certainly among the most passionate and engaged; losing them would be the canary. (Admittedly, you must be able to discern those who are vocal and thoughtful from those who are vocal and thoughtless, but I am confident you have that capacity.)

Second, there is the issue of the 90-9-1 rule. The vast majority of users of HN never comment nor express their opinion; they simply observe. This will be true whether or not they are satisfied with the service. If they are dissatisfied, they don't comment, they simply leave. On the other hand, composing only 10%, the vocal minority must necessarily be the minority. Can we uniformly dismiss this vocal minority as unrepresentative of the silent majority? No, because there is no other proxy for surveying the majority. (Again, you must discern the productive from the unproductive critics.)

Finally, there is the burden of simply engaging. I am amazed by the amount of time and effort you must invest into moderating HN and in writing your responses (among, I'm sure, numerous other activities such as actually writing code). It appears that recapitulating your justifications over and over again is not particularly efficient.

That, however, does not imply that failing to justify your actions is suddenly an adequate substitute. It simply means that the current method is inefficient.

There are a few conclusions I think we can draw from this. We can't dismiss the vocal minority because it's all we have; rather, we must discern those who are constructive from those who are destructive. Further, like blowing onto a flame to put it out, ignoring or suppressing them will likely instigate even more frenzied conspiracizing. Finally, responding to each of them individually is inefficient and burdensome.

I think a basic ledger of "moderator actions" would solve many of these issues. To start, it would probably not be an exhaustive log, but simply actions performed at the thread-level rather than the comment-level. It is transparent, just like your comments and the HN community guidelines already are. It would broaden understanding of your actions, rather than rely on users to dig through your recent comments (the only ledger thus far, without which they undoubtedly draw their own conclusions). Finally, it would reduce the burden on you.

Would it, however, pacify the vocal minority? Would they conspiracize further? Would they levy more demands to change the site?

Perhaps, perhaps not.

But it seems clear that those who are worth listening to, vocal as they may be, are in fact worth listening to. They are the canaries. And if they increasingly demand more transparency (which you would know, not I), that is likely worth making some steps toward satisfying. If they make more demands, so be it.

Communities change over time, especially as a function of scale, and I think HN is no different. The only thing that generally must be kept constant is prudent stewardship, and I am fairly confident your track record satisfies that. There may be mistakes along the way, but as long as you make a transparent, genuine effort to serve the community (as you clearly have done historically), that will go along way in retaining the trust of the community.


To be honest, the reason I don't do it is fear. Normally I'd say "we" in a sentence like that, but in this case the fear is mine.

Maybe such a device would satisfy everyone's curiosity and make the community as happy as a gently tickled baby. Users would raise questions, other users would helpfully look up what happened in the moderation log, and still other helpful users would chime in with past examples of how we do things that way, and why. Enormous pressure would lift from our shoulders and we could sit back and eat potato chips (or carrot sticks), or even better, work on the code. No longer would we be under attack from all sides. The war would be over and transparency would rule the land. Huzzah! (In case that sounds sarcastic, I do have that fantasy sometimes.)

On the other hand, maybe it would be the apocalypse. I fear the apocalypse. There isn't a lot of room for more pressure of the kind I described upthread. We operate on the edge of being maxed out.

Also...I have a feeling that it might not be good in the long run. Moderators here are in a super complex dance with the community. I think it's important for them (us) to have the degrees of freedom that non-public moderation provides. It allows you to do things, try things, take chances, make mistakes, etc., that you wouldn't do if you were under floodlights all the time. It's for the same reason that you wouldn't want your boss standing behind you, breathing down your neck all day—even though you're not doing anything the boss would object to, except perhaps checking Hacker News too much—except that it's actually in the boss's interest for you to be checking HN that much, because it's complicated, besides which sometimes something comes up on HN that actually makes a big difference, plus...never mind, the boss wouldn't understand. It's just best if the boss lets you do your job.

I like this analogy, because the community really is the boss here...if by boss you mean a ten-headed dragon who likes to bite your head off once a day or so, but you know how to reattach your head so it's ok, except it still feels bad to have your head bitten off, plus it takes hours to reattach it. It could be that allowing moderators that degree of opacity turns out to be an essential aspect of operating the site in a sustainable way.

But the truth is I don't know. sama suggested we do this 6 years ago and I said no way, for the same reason. Maybe in another 6 years I'll have worked through the fear.

One last thing. If anyone is reading this and thinking of replying "Aha, moderator guy, I've got you! If you're so afraid...what are you hiding from the community? tell us that, you self-contradictor, you!"...I've already planted an effective rebuttal to that precise objection in this thread. So tread carefully, objector guy! Or maybe I haven't, and I'm just saying that, because it's complicated.


I think that if the moderation becomes public, it becomes a target and not an effective way to measure behavior. People will try to game the ways they interact with moderators. They'll start to argue and lawyer you against yourself -- "you didn't demote this post but you demoted mine". I think any of us who have done user moderation for more than a month has seen this kind of behavior.

Transparency is great in public institutions that spend our tax money. In communities like this, we just need a chieftain to handle our disputes fairly and keep us all from going nuts every so often. Those of us who have been coming back for years already know that you do that, or at least try your best to be fair and open and neutral.

I doubt you could keep everyone happy by releasing a log of moderator actions. People complain now, but look at ArbCom on Wikipedia, which makes all the decisions in public, and there are websites devoted to trashing the process there. And if you're not making people happier, nor making their interactions here more pleasant or informative, what is the goal again?

Plus, it's not just moderators getting a chance to make mistakes, it's also the users. I don't want to end up in a log somewhere for my terrible posts. You've told me to improve before, and I did. At least I've tried to. Admittedly my posts haven't been high quality lately. Anyway, the more formalized the process becomes, the less human we're all allowed to be. That can be good or bad, but I think in this case it's been good. Most of the reactions to OP tend to think that privacy is valuable sometimes.

I could be wrong, of course. Do what you think is best for us. That's why we keep coming back.


Wow, those are great points and I hope it's ok if I plunder them for future discussions.

I completely agree about wanting to stay on the human side of formal vs. human.


Feel free to reuse anything here. I feel like that was only bits and pieces of what I'm really thinking, but human behavior is so vast in scope that it defies easy analysis.

Yeah, thanks for the response. I saw you mention this downthread after you made the comment. Thanks for the work you do moderating this place.

Thank you for not incorrectly saying "that begs the question of..."

Bullet dodged.

Your salary should be at least 250K

This. I mean, I'm all for being aware of others' biases and conflicts of interest, but -- whatever else you might criticize the mod team for -- they're definitely not "running interference" for TB or anything here.

Regarding HN’s policy on discussions of YC companies: https://news.ycombinator.com/item?id=23280121

What 'nabilhat is talking about is the way the Triplebyte CEO’s comments in this thread (which are the opposite of “highly critical”) are being downvoted to very light grey.


When it comes to moderation of a YC startup on HN, "The first rule of HN moderation is to moderate less, not more" says dang on previous threads concerning YC startups and he has expressed the same sentiment here in this thread

Wouldn't be the first time HN/automoderation/mods have removed 'critical to YC business interests'. Happened to me with the Thalmic Myo, when I open source forced them to open their platform. HackADay also notes that HN autohid my article.

https://hackaday.com/2014/11/18/thalmic-labs-shuts-down-free...

HaD wasn't hidden.. Thalmic was.

Dang has usually responded with noncommital responses like they never do that. But further requests for being transparent has fallen on deaf ears.

edit: and -1'ed. Is this because "my content sucks"? Is it because of 'offtopic'? Or is it a mod?

Considering karma here determines rights, rate limiting, mod-down, flagging, and more - these points do matter here. And of course the larger issue here is lack of transparency. In fact, with removal of mod scores, the site has gone down in transparency.


I feel like if someone is still upset about a case like this 6 years later, we should probably try to figure out why and see what we can do to settle the matter. But HN has had 15M posts since then and I have zero memory of it. Actually I probably have zero memory of HN from 2 days ago. Can you link to the relevant post(s)?

I looked at that hackaday.com page. It says this: "Quick aside, but if you want to see how nearly every form of media is crooked, try submitting this to Hacker News and look at the Thalmic investors. Edit: don’t bother, we’re blacklisted or something."...but is also linkless. Usually when people make dudgeonly claims and conspicuously omit links, it's because what actually happened doesn't match what they say.

Re "dang has usually responded with noncommital responses": I try to be commital. There is little to be gained by not, since we try not to do things that aren't defensible to the community in the first place. If you have any tips to offer for increased commitalness, I'd like to hear them.

Edit: I just noticed this bit: "further requests for being transparent has fallen on deaf ears". When? That doesn't sound like us.


Wow. Thanks for this. I ignored the email because Triplebyte just feels a bit spammy to me now so I mentally block it out.

Have logged in to stop this from happening and currently apparently I'm "Open to discussing new opportunities", which is news to me. On trying to change it to "Not interested in any new opportunities" there's a dropdown that says "I’d be open to new opportunities in:" and most you can set it to is 2 years. These are whole new dark patterns.

UPDATE You can turn off the setting they're talking about by going to [0] and then clicking the little grey "Visibility settings" under the Profile URL section.

UPDATE There's a delete your account option on this page [1], though YMMV:

>> Government identification may be required and we may ask you for more information in order to verify your identify

[0] https://triplebyte.com/candidates/profile_builder

[1] https://triplebyte.com/privacy-center


>> Government identification may be required and we may ask you for more information in order to verify your identify

Same issue as I'm currently having with Airbnb. Though I have never ever provided any ID before, nor did I ever book anything, they asked me for an ID to prove my identity upon requesting account removal. How exactly does my ID _prove_ anything in my case (apart from the fact that I have an ID copy of a person who has the same name as I entered into the Airbnb profile page). Seems more like one more obstacle to prevent people from deleting their account.


It's pretty common actually. They will delete all your data, but that requires strong authentication, which government ID is. That's how it works with gdpr in 90% of cases.

Account removal should be just as easy as it was to sign up

I agree that it should be just as easy to suspend your account as it was to sign up, but irretrievable deletion should be harder.

Companies ideally want to stop fraud at both ends, but I would be more upset if, for example, my Airbnb account were fraudulently deleted than if someone fraudulently made one in my name.

Granted, deletion requires access to the account in question, so maybe that's enough of a hurdle already? In that sense it's already harder to delete than create.


> Granted, deletion requires access to the account in question, so maybe that's enough of a hurdle already? In that sense it's already harder to delete than create.

I tend to agree that that is enough of an additional hurdle, but note that it conflicts with

> I agree that it should be just as easy to suspend your account as it was to sign up, but irretrievable deletion should be harder.

It's definitely not appropriate for any unauthenticated person to be allowed to suspend an account. You need the same hurdle on suspension.

I think it would be reasonable to have a grace period between the deletion request and the actual deletion, during which the account was retrievable.


I've deleted a lot of accounts in the last few weeks, and Airbnb was the only one requiring an ID prove. I agree, it is indeed part of GDPR for them to ensure I have the right to delete my account. My only issue is that my ID does not prove anything in my case, because Airbnb doesn't know my identity which they could compare my ID with, because I did have to provide my ID after registering and I never booked anything on their site.

It seems like a good idea to get a fake ID, to sign up for (free) accounts using that nym. Or I suppose if you can order fake IDs with custom nyms as needed, then you could consider that the price to delete your psuedonymous accounts.

that dropdown is super annoying: https://imgur.com/a/iUFg3cn

Also, I clicked that "visibility hidden" and got this email:

"Hey Jeff,

You’re no longer letting companies know that you’re open to discussing new opportunities. Your profile will be hidden from employers for the next 24 months. You can change your job search status and make your profile visible again, whenever you feel ready explore new opportunities." (https://imgur.com/a/OBWexgo)

So even that only will get rid of it for 24 months. Let's see if they'll just delete my account.


Holy crap -- what an intentionally dark and transparently evil 'ux' pattern.

Since account deletion is such a hurdle, edit your profile to replace your name and info with profanity and let's see how Google and the various content filters will like that once the profile goes public.

Replace the information with that of a SDN (Specially Designated National)* if you really want to cause trouble!

*Don't actually do this unless you want a visit from a 3 letter agency.


Then explain to the agent "I've been in quarantine for a while now and I was lonely. Want a beer?"

I'm pretty sure they'll leave. Might not even file any paperwork on that.


Thanks, that's exactly what i did. Just obfuscated profile. Let them handle garbage.

Just a reminder that most of these companies never really delete your account, they simply deactivate it, while keeping all your data. You can also update your profile info and fill it with gibberish.

> Just a reminder that most of these companies never really delete your account

Not if you request account deletion under CCPA. Or at least not if they're smart.


The whole government ID thingy is really beyond the pale. Just imagine: you never needed it to sign up in the first place. So now after proving to be not worthy of your trust, tone deaf and ethically deficient, to delete your account you need to give them even more information.

This company deserves to die.


Give it time, an EU citizen who applied will eventually make GDPR complaint. At which point, it's game over.

If they have $25m in revenue, receive more than 50k signups a year, or make more than 50% of their revenue selling data on California residents they are subject to CCPA.

CCPA actually has way more teeth than GDPR, because California's Unfair Competition Law allows residents to enforce laws that do not otherwise provide a private right of actions. (though this still needs to be proved out in the courts)


In theory. Has any company seen the pointy end of GDPR yet?

Yes, several every day: https://www.enforcementtracker.com/

Thanks for the links. I registered but never set up a profile, and if you click the link in the email or [0] above, it forced you to set up a profile before you can configure your privacy settings.

Also, after opting out of personal data sharing:

> We're processing your request and should be done within 30 days.

Same for deleting your account.


Yikes, that two year thing is gross.

They have definitely been kind of spammy for a long time...I usually ignore their emails but I actually read the first paragraph of this one and it sounded like it was an opt-in feature, so I closed it, but the important line was further down: “You can edit your profile privacy settings to not appear in public search engines at any time.”


I'm glad you posted this because I otherwise might not have found that way to delete my account.

Here's what it said when I did:

> We will verify your request using the information associated with your account. Government identification may be required and we may ask you for more information in order to verify your identify.

So I can change my profile name to Seymour Butts, but deleting my account that I have credentials for may require government ID that you never asked me for? WTF


I just tried to delete my account and in addition to the thing about government ID it said:

>> We're processing your request and should be done within 30 days.

30 days to delete an account? I guess they have a lot of account deletion requests to process all of the sudden!


FWIW, I requested my account be deleted, and got a confirmation email maybe 20 mins later and didn't need to provide any ID.

Thank you. I was scouring the page in a frenzy and couldn't figure out it was tucked away in the Profile URL section.

Managed to get my profile from 38 to "100% complete" in the process during my attempts to wipe out my data.

Christ.


Thank you for the link! The visibility settings button is basically invisible and so I had marked myself as "not looking" rather than "not visible".

Thanks. I was looking for the link to delete my account.

So I got an email saying my account was deleted. Tried to login and the login failed. Curious if my information was delete or if they just deactivate the login and my information will still show up.

Dude, I turned off the public profile thing. It appears to be off. BUT when I hard refresh the page and click again, it appears to be ON again! Am I going crazy?

If you're on desktop Safari, the only way to select the maximum 2 years option is to resize the window vertically (smaller) until the dropdown becomes a drop-up.

What's worse, the dropdown doesn't even work for me (on iOS Chrome). It's stuck on 1 month.

I interviewed via Triplebyte last year, and thoroughly enjoyed the service. Before this I would have (and did) wholeheartedly recommended them to anyone; the process was great from the candidate’s perspective and I also have confidence in their ability to accurately evaluate candidates’ skills.

After this announcement, though, I’m afraid that faith has completely crumbled. Even if Ammon had showed up in this thread and immediately announced that this was a terrible idea and they were rolling it back immediately, the mere fact that they were considering doing this is a huge blow. It doesn’t help that I skimmed the email when I got it this afternoon and didn’t even realize it was an opt-out; it was only when I saw this thread that I took a closer look and realized that the email was lacking a CTA button at the bottom for a reason. That seems incredibly shady to me and instantly changed my impression of the company.

Take heed, other companies: it only takes an instant to destroy your company’s reputation, and it’s incredibly difficult to win back that confidence.


For what it's worth, this was what happened to me. They regularly send marketing emails and updates, which I skim from time to time. It wasn't until I saw this thread that I realized that one particular email out of the (actually checks notes) 62 (!!!) unsolicited emails they've sent me in the last 12 months was this important.

For me, it seems like the emails picked up a lot in the last 2 months. I attributed this to covid aka a lot of people instantly out of work. The most cynical take is that they increased email frequency so this would be more likely to fly under the radar. I am not even sure I believe that though.

Me three.

I didn't find any good jobs on my last job hunt through them, but was happy enough with the process that I put their little certification widget on my linkedin. Gonna get rid of that now.

"it only takes an instant to destroy your company’s reputation, and it’s incredibly difficult to win back that confidence."

Not really. Given that nobody on here has identified the underlying problem, and are happy to blame everything on Triplebyte ... it just goes to show how nothing is going to change anytime soon.

Confidence in using this, and other services, will only grow.


I have used Triplebyte before (for the tests! wasn't available in my location yet) and before I was very excited about their eventual launch in my location. I will never use them again now.

The fundamental disconnect here is that Ammon seems to think this data belongs to him, for uses he deems appropriate, rather than belonging to his users.

This works for Facebook and LinkedIn because of network effects, but not for some random staffing agency with a tech gimmick. If Adecco or MichaelPage did this it’d attract the attention of ambitious public prosecutors worldwide.

It’s almost a shame, as the idea itself doesn’t seem terrible, but the auto-enrolment and dark patterns for removal makes this whole thing feel like a New Digg moment.


The only big tech company I've seen take the public stance that the user owns their own data is IBM (of all people).

>The fundamental disconnect here is that Ammon seems to think this data belongs to him, for uses he deems appropriate, rather than belonging to his users.

This is the reason why I ultimately like GDPR: the foundation is that the user owns their data and not the company that has it on a database server.


What's Digg again?


I believe that was a joke.

What's Triplebyte?

Isn't this legally the case? There's a random place on the internet and people upload details. Not payment info, and I honestly am not clear on how much the rest is protected (USA). This is exactly what Zuckerberg called people "dumb fucks" for, and I don't think anything (legally) has changed.

I'm on your side as far as the "why the hell is this the case", but I think this is the world that (USA and others) live in.


I filed an FTC complaint. I'd encourage other concerned folks do the same, since out of court settlements with the FTC are how this is currently adjudicated in the US.

As an advocate of involving the FTC in such situations, done. Thanks for the reminder.

Legality doesn’t really matter here, public perception does. If Triplebyte comes to be viewed as an untrustworthy partner in the extremely high stakes world of career changes, they’re effectively dead.

Legal or not it's clearly the wrong thing to do and not at all what users would expect.

Ammon's previous venture was Socialcam [1], of which Wikipedia says

> Socialcam's popularity on Facebook suddenly increased in the spring of 2012, via unusually aggressive actions to induce contacts to join. It was criticized as "invasive" and a "bully" by many reviewers, for sharing what users were viewing without them realizing that that would happen.

It was only after articles like "Why I Hate Socialcam Even If It Might Be the Next Instagram"[2] (spoiler alert: it was not) started appearing that Ammon and friends sold to Autodesk for $60 million. I'm sure that investment worked out swimmingly for Autodesk. Win some, lose some, eh? But hey, at least Ammon got some resources out of it, which he went on to use to make the world a better place, and some valuable life lessons about privacy and honesty and respect, right? Right, Ammon?

[1] https://en.wikipedia.org/wiki/Socialcam#Criticism

[2] https://www.forbes.com/sites/roberthof/2012/04/30/why-i-hate...


Who knew Triplebyte was another social media company in stealth mode all this time?

Brilliant launch strategy, coming out of stealth and dragging all of its users out of stealth along with it. /s


Oh man, bait and trap? Is it so hard for a company to just have humble ambitions? Is it so bad to be a simple business that optimizes the recruitment process? Must it to be a multi billion dollar LinkedIn competitor?

Ammon and Guillaume came from Socialcam, so two-thirds of the Triplebyte founders. (Though only Ammon has showed up here, so it’s possible that Guillame doesn’t share the same opinions.)

It was bought by _Autodesk_? Bizarre.

This is horrible, what a breach of trust. I used TB to stealthily interview for jobs, had a good experience. Recommended them to others. Now I see that if I hadn't seen this post, I wouldn't have known about this and those details would have been public, which had the potential to seriously undermine me at my current position. I'll opt out tomorrow, but according to others it sounds like the visibility link was somewhat hidden. At least with this they're well on the way to becoming the next LinkedIn, at least by their practices. What a dark pattern.

It looks like emailing candidate.support@triplebyte.com is the only way to delete your account.


> candidate.support@triplebyte.com

Did they purposefully go out of the way to make this email address unguessable/non-standard/multi-word


support@triplebyte.com is probably for clients.

Source: Candidate, has a very specific marketing meaning, of you being the product.


There’s a lot of things to dislike about triplebyte’s behaviour here, but this particular criticism isn’t fair.

I’ve worked at 3 different companies in the hiring space across two continents and “candidate” is the internal term they all ended up using internally for people seeking jobs. “Applicant” is too vague and “job seeker” is long and hard to scan (and it’s too similar at a glance to “job”, which is also not often used).

If “candidate” has bad connotations for you, I’d love to hear a better suggestion. But I still haven’t seen a more appropriate name for my database table.

Company / candidate / role / resume / profile / interview / offer. These are the terms almost everyone uses.


I don't think the parent comment was complaining about the nomenclature. I interpreted it as pointing out that in any hiring activity, the candidate/applicant/whatever is the product. A company pays a recruiting service in exchange for hiring a candidate.

(Of course, the candidate also receives value because presumably they are looking for a job and get one in this transaction. But the whole "you are the product" trope always ignores the fact that the "product" person is receiving value in the transaction).


Not sure we are talking about database tables here. A user friendly email looks like help@xyz.com or support@xyz.com, not candidate.serialize.json@xyz.com

> if I hadn't seen this post, I wouldn't have known about this

To be fair they sent an email to everyone who had signed up; I received the same email.


If we're going to be fair, we have to acknowledge the history of email over the last thirty years: spam, spam filters, and the "Mark as Spam" button.

Email is what I use to notify my customers of a 25% sale, not to tell them that I'm going to plaster their data all over the internet in violation of the spirit of the service I'm providing. I use regular mail for that.


I’m not sure using snail mail as the default venue for important information is really the smart play here. I check my mailbox a lot less often then I check my inbox and I don’t even open 99% of the mail I get since I assume it’s just junk. I’m a lot more likely to miss whatever you sent me if you had sent it by post than if you had just sent an email like a normal 21st century organization.

I'm very much only addressing the small string of text I quoted; I agree it should have been opt-in since many people don't check their email diligently.

My problem with this is the automatic opt in, using my profile and details for more than I intended for them to use it for (regardless of whether I technically signed something staying they _could_ do this, it is borderline unethical to use my information for this purpose), only having a week to "opt out", and not knowing what opt out even does. Sending an email to everyone doesn't cure any of these points.

Not to mention that the only reference to needing to opt-out is a veiled mention buried in the second paragraph. I skimmed the email briefly, said “oh that’s neat, what a great idea” and filed it under “things for the next job hunt” thinking I’d turn on my profile then.

The link in the email did not work for me: it sent me to my profile, where I was presumably to be able to opt out of sharing my info publicly. But I could not see any way from there. Maybe I'm blind. As usual, googling worked better to find something on the site than using the site itself. Googled: triplebyte opt out -- that linked me to the right place. https://triplebyte.com/privacy-center

who reads those emails?

Precisely why this dark pattern is so common.

Your Triplebyte profile will NOT contain any data/details about you or your job search that will undermine you at your current employer. We should have included a screenshot and more details in the email. I'll talk to my team about following up with more details tomorrow. We are talking about a lightweight profile, like your Stack Overflow or HN profile, to provide us the canvas to release badges. That's it.

Even so, the decision to make this opt-out instead of opt-in is extremely questionable. If it’s just a spot to put badges, why is it so critical that it be rushed through next week? And why are you so carefully avoiding talking about the opt-out when a significant chunk of the people in this thread are telling you that it’s the main thing they’re upset about? “Sorry that you feel this way” is the worst kind of corporate-speak non-apology that makes it clear that you’re apparently not interested in responding to feedback, but just making soothing sounds at everyone until the smoke clears and you get to continue doing exactly what you planned.

> If it’s just a spot to put badges, why is it so critical that it be rushed through next week?

I'm guessing it's because their corporate metrics took a dive due to covid hiring slowdowns and now they need to justify their worth to investors who have put in $50 million.


Hey! Welcome to your first PR disaster.

I would suggest you step away from any scripts and turn on the company ears. Simply explaining what is going on more “clear” and repeating it more often probably won’t get you anywhere good.

Why does this make your users uncomfortable? How can you work with them to achieve your product goals without undermining your relationship with them?

Good luck!


I strongly object to characterizing this situation as a PR disaster. The problem isn't that TripleByte is perceived as doing something unethical. The problem is that what TripleByte is doing is unethical.

You’re not wrong, and as far as you and I are concerned, that is the problem.

From TripleByte’s perspective it is a PR disaster, or at least we should treat it as such. Appealing to TripleByte’s internal moral compass is unlikely to succeed since they’ve demonstrated that they don’t have one. So we resort to appealing to their self-interest, since that is something they care about.


Just because it is an ethical disaster does not mean it is not also a PR disaster. It looks a lot like both to me, one followed closely by the other.

> How can you work with them to achieve your product goals without undermining your relationship with them?

Literally just make it opt-in.


Opt-In doesn't help them achieve their product goals.

Triplebyte as founded isn't working so they're trying to take a valuable asset they have (engineers looking for jobs) to compete with linkedin

The problem with bootstrapping a linkedin competitor is the same chicken-and-egg problem with networks generally. You need people on it for people to join it.

What Triplebyte wants is your identity public. That's the product goal. The problem is that opt-in won't get them that. What are the incentives for anyone to make theirs public?

How many people who were searching for a job without telling their company are going to opt-in to make that public?

Most certainly not enough to bootstrap a LinkedIn competitor.

So someone had the idea to move fast and break things, either:

a) hoping no one would notice

b) hoping the fallout wouldn't be bad

c) not caring that the fallout would be bad

d) not knowing that there would be fallout

none of the above are particularly inspiring. It does seem hard to miss this coming


> Opt-In doesn't help them achieve their product goals.

None of the users care. Just because something is convenient, doesn't mean it's right.

On that note, I wish one day we'll stop letting startups get away with dishonest behavior (e.g. astroturfing) and dark patterns done for the sake of "solving the chicken-and-egg problem". Building a network is hard, tough shit. Doesn't mean you should build your company on lies and disrespectful treatment of your users from the start.


> How many people who were searching for a job without telling their company are going to opt-in to make that public?

I think that's the real issue: timing. The only time this can work is when someone has just resigned or joined a new company, so they can (and are actually willing to) "legitimately" pump up the volume about themselves.

So make it an easy opt-in triggered by these events. Any triplebyte candidate that "closes the deal" should get opted-in automatically. Anybody without an ongoing work relationship, should get opted-in automatically. Everyone else, you hold fire until something significant happens publicly, at which point you gently prod them. You can even ask, when someone signals they are looking for a job, "do you want your profile public at this time? It's a pretty cool thing! If not, no biggie, we'll ask again once things change."

It's not rocket science to do this respectfully and it's sad that they didn't.


But doing it all at once and having it opt-out accomplishes that. If "John Smith" has a public TripleByte profile next week, as a third party the only signal I can get out of that is that "John Smith" passed the TripleByte interview some time in the past. I'd be okay with this if TripleByte gave a couple weeks to opt-out and made certain potentially sensitive information opt-in. Just make it 4 weeks to opt-out and by default don't display the date they interviewed with TripleByte and don't display "Open to new opportunities". Then just ask the user what they want after new interviews and accepted job offers.

If they made the initial launch opt-in then that signals that the user deliberately chose to advertise that to the world. The message a current employer gets out of something that's opt-in instead of opt-out is notably different. This is just like the whole opt-out fiasco with the Do Not Track header. If it's opt-out, the signal is largely meaningless. In this case that's a benefit.


> Any triplebyte candidate that "closes the deal" should get opted-in automatically. Anybody without an ongoing work relationship, should get opted-in automatically.

Am I misunderstanding you? If you "get opted in automatically", then it's no longer opt-in; it's opt-out.


Yeah sorry, I should have been more precise: I meant to say that it should get turned on for those users automatically at those times.

They could have made it low friction opt-in. “Click this one button in our email to you and we’ll import your account.”

If their goal is to have my identity public, that's a pretty bad goal--certainly not a profitable one.

I own my own business. I'm not looking for a job. Unless something goes really horribly wrong, I won't be looking for a job in 24 months, or ever. Having my profile public doesn't add to the signal on their platform, it adds to the noise. Having my profile public is a waste of time for me, them, and employers looking for someone with my skills.


They could prompt at next login instead

> Simply explaining what is going on more “clear” and repeating it more often probably won’t get you anywhere good.

I've learned this lesson personally. Trying to be "clear" about my own perspective while ignoring what the other person feels.

"You don't like what you see? Impossible, you just can't see it. Let me make you see!"


The rhetorical technique that annoys me the most plays out like this...

Me: Thing You: I hate that thing Me: You don’t understand Thing. Here’s Thing explained. You: I understand Thing, I still hate it. Me: You don’t understand Thing. When you understand it, you’ll like it. (Repeat)

Sometimes this is stupidity thinking that understanding is missing, but I think it’s usually shady just so they have something to say to counter the objection that is visible to people outside the conversation, who are interested, and at least see some form of technical interaction.


There needs to be a catchy name for this type of interaction. I loathe it as well and it's annoyingly common. Companies that rely on this behavior should be called out repeatedly.

Willful misunderstanding? Confusion redirect? Defray to diffuse?

The technique seems super common now, and I’ve been expecting to run into it in some communications training, but haven’t yet.

I feel like there’s some crisis PR tactics this fits into that involves “Never disagree, redirect and ignore.” It diffuses criticism and makes it hard to argue.

It seems related to when I see a complaint on a review site that’s been responded to with “I’m the manager, please call me.” It doesn’t resolve the issue, but it shows that someone is doing something, so it diffuses pile on because it stops complaints of ignoring customers.


I have such a great comic in my stash about this (author unknown): https://i.imgur.com/lcVU0rP.jpg

Thank you for the calm and instructive response. I was about to hoist my pitchfork but set it aside instead.

Hopefully his last too, as the company goes down in flames. But well, scumbag CEOs usually have parachutes (or Mary Poppinsesque umbrellas?) that take them elsewhere..

If someone goes from not having a profile to having one, you know they’re job hunting.

It’s like saying “Your Tinder profile will NOT contain any data/details about you or your dating search that will undermine you in your current relationship.”


Exactly. This is basically like the workplace equivalent to the Ashley Madison scandal, only pre-planned.

How about if you just always have a profile?

That's a false equivalence. You're talking about a business relationship versus an intimate personal relationship context.

The type of relationship is different, but the example still holds. Having a profile at all can and likely will be viewed as an indicator of intention to leave the current relationship for a new relationship. This was how it was viewed having a resume profile on sites like Monster and CareerBuilder before LinkedIn made it the norm to have a public resume.

Time frame is also very important. Example, a user has been with the company for over a decade, but the product has only been around for a few years. Or if one of the "achievements" was a test that was added recently.


I have a TripleByte profile. Am I job hunting? This is not a hypothetical. I really do have a profile.

Not necessarily.

But what if you didn't have one yesterday, but you do have one today? What if you have only worked for one employer since TripleByte was founded (2015)? What if the only place you've worked is a startup of which you're a cofounder?

If you can't think of a way in which a privacy leak can have consequences, that doesn't mean there aren't any.


What if I have? How does that imply anything other than that I took a test?

In the sense of a logical implication which follows with full logical necessity: it doesn't.

In the sense of a likely reason for someone to draw an inference: Most people do not specifically seek out excuses to take tests, and do so only because they want something that the test provides them with, such as access to a job-hunting platform. Most people who want access to a job-hunting platform want it because they are job-hunting or plan to be soon.


It's a known interviewing service. The implication by many would be that you took the test because you were interested in interviewing.

Is there another big use case that I'm missing from their product? Interested in hearing your interpretation of a person that has a profile on an interviewing service. My assumption would be the main objective of a user signing up for a service would be using the main product the service provides.


After reading your various comments, I have to ask if you have any relationship with Triplebyte and/or its founders beyond merely using the service. And yes, I would greatly appreciate an answer to this.

I do not, other than having interviewed with them. For the record, I would not care to repeat the experience, either. I found the process unnecessarily stressful and not worth the time investment.

Nonetheless, I don’t find very much wrong with what they do, in general, or what they’ve done here. Do you think because I have a dissenting opinion, I must necessarily be some kind of shill. Come out and say it, if so.


I didn’t know one way or the other, which is why I asked. Perhaps the unspoken bias I’m putting on display is the assumption that no independent observer could possibly think their actions were ethical.

My point is that just having the profile is data. He can’t predict what impact making this data public will have.

Companies that are worth a shit don't retaliate against people for looking at other opportunities. That's precisely why your Tinder example is not just off base, it's wrong.

Another way to look at it: either you're a replaceable cog, or you're essential to running the business. If you're essential, they're going to do whatever they can to keep you. If you're replaceable, they probably don't care that much whether you in particular stay or go, but it will certainly cost money to replace you, which they'd rather avoid spending.

Only a completely irrational company would cut someone loose just because an online profile with that person's name on it appeared somewhere.


If I had to lay off one of two employees in a role, both do the role fine, but I strongly suspect one of the two has been looking to leave... Which of the two am I keeping?

Being fired because you're perceived to be looking for other jobs probably isn't a realistic concern. But being passed up for promotions or missing out on desirable opportunities because you're perceived to be looking for other jobs is a very real possibility, even if you're not easily replaceable.

The Tinder analogy is imperfect because of that, but it's still a good illustration of how just the existence of a profile can destroy your plausible deniability.


> Being fired because you're perceived to be looking for other jobs probably isn't a realistic concern.

It definitely is.


It's additional risk that nobody asked for.

Very few companies are worth a shit.

You're right -- most people's livelihoods don't depend on staying together with their girlfriend.

I don't get why you'd think it's okay to suddenly make private information about your users public. The lesson is not "We should've included a screenshot" but rather "We shouldn't automatically opt our users in to sharing information they thought was private.". This is a betrayal of user trust.

I saw your email in my inbox but didn't read it. I never would've noticed with improved screenshots or not. Do you read every email you get?


Did you read the fine print when signing up? Maybe this goal has been in their fine print for a long time.

So what? Caveat emptor has no place in honest, trustworthy business practices.

From a GDPR perspective, for anyone who is able to lay claim to GDPR protections, it wouldn't matter whether this is written in red on the first line of the agreement - "data protection by default" means that you must default to not sharing with an unlimited number of people.

What this means in practice is you can't default anything containing personal info to being public by default.


Yup. One of the best benefits of GDPR is that you don't have to read the fine print anymore, because companies can't legally put anything abusive in there, at least with respect to processing your data.

Absolutely. Article 25(2) is written for this specific situation, and expressly prohibits opt-out situations where personal data might be made publicly accessible:

"In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons."


Not according to your own FAQ[0] on public profiles:

> Your public profile includes any badges you've earned, your basic info (current job title and company, current location, and years of experience), and the tech experience & resume section.

This information can very easily be used to identify a person, especially at smaller companies.

> ... to provide us the canvas to release badges. That’s it.

So before you were taking on LinkedIn, but now it’s just a place to release badges?

[0] https://triplebyte.zendesk.com/hc/en-us/articles/36004382061...


The fact that this is the top comment and that folks who trusted you are seeing this email first on HN instead of in their inbox means you fucked up. The details of what trimmings you put on the email were not the fuckup.

>> The new profiles will be launching publicly in 1 week.

You are literally taking private data and making it public without consent.


Regardless, this breaches GDPR by making data public and accessible to an unlimited audience by default.

I hope (for your sake) that you don't have any users that can invoke their GDPR rights against you by virtue of their citizenship.

For the sake of incentivising companies to do the right thing, however, I hope you do have some EU or UK citizen users who do litigate or have their data protection authority investigate and formally punish Triplebyte, even if only to establish clear precedent here for the future.


Triplebyte is only targetting Americans afaik.

Not true, I ended up on triplebyte a few months ago as a result of ads, so I also have a profile, and I'm in Europe.

That’s not true. Even if it were, many Americans live in Europe and are subject to GDPR.

I'm a European in Europe and seem to have a triplebyte account

In which case, it sounds like at the moment they carry out a "data processing operation" to make your data public, you would have standing to make a formal complaint to your local data protection authority.

Article 18 restriction of processing can apply here. Art. 25 "Data protection by design and by default" would seem to be relevant as well. The section I alluded to above is the latter half of 25(2), saying "In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons."

There's also the question of whether their consent or other grounds of processing suffice, which likely wouldn't for making anything public, but Article 25 makes it clear enough anyway this is illegal.


I am not a lawyer and this is not legal advice but ... I don’t think the European government has legal standing to fine triplebyte. Triplebyte doesn’t have offices, employees or customers in Europe.

A European visiting the US and interacting with an American business does so under the protection of US law, not EU law. This is complicated in the case of Facebook and google because they also do business in Europe, so European courts can fine their European branch offices. But Triplebyte has no such EU presence that the European courts could pursue. And they don’t advertise European jobs. I suspect an EU citizen interacts with triplebyte legally the same way they would if they went to a cafe in SF while on vacation.

The opposite would be crazy. If triplebyte can be fined by the EU, that would also mean the government of Australia or China or Russia could arbitrarily levy fines against any US company if one of their citizens interacted with a US website one time. And everyone would put geo blocks on their websites to protect from liability.


Not a lawyer, not legal advice either, but the GDPR approach to extraterritoriality is somewhat interesting. The presence of offices or employees isn't a strict requirement by law. The law, as written, would seem to apply to a US entity serving EU customers. But international law probably wouldn't facilitate doing anything about that.

Of course there is a question about how you could enforce such a ruling. And if it can't be enforced, is it really a sanction? I guess if countries wanted to take this really seriously, they could get a list of company officers and put immigration flags on those individuals, and hold them temporarily upon trying to enter that country, until the matter was resolved. But that would be rather extreme, and you do raise some good points around which countries can fine the companies of other countries.

CCPA from California seems to have some cross-border implications as well - perhaps we will finally see a framework for privacy laws that works better than today's hotch-potch?


This may be true, but I have had US websites flat out refuse me access because they detect I'm in Europe.

Triplebyte can be 100% fined by EU, there are such previous cases where HQ is out of EU but they are serving EU citizens.

GDPR is very clear in wording that it doesn’t matter whether company has offices in EU or not, only thing that matters is if company is providing services to EU citizens.


Triplebyte can just forward those fines to the circular file. There is no practical method of enforcement unless they have a physical EU presence.

That's not correct. You can pursue damages outside of your jurisdiction through a process called "domestication". Generally speaking US courts will enforce judgements from other countries with a legitimate legal system.

Sure, they "can." But has it ever happened with GDPR? My gut tells me they'll direct their efforts towards more critical matters.

I'm not an expert in the direct applicability of GDPR, but my understanding is a European, living in Europe at the time this change happens (but who was perhaps doing an online job hunt, considering a move) might still be covered. Admittedly this is an edge case, but it's not one I'd want to risk in the era of extraterritorial enforcement of various privacy laws.

A European living anywhere is covered.

I was reading about GDPR last week (since CouchSurfing was another company that turned scumbaggy and put up a paywall that one couldn't even access one's own account to delete it without paying a subscription), as I understand it, it only applies to people who were in the EU as the data collection occurred.

No, it covers EU citizens' data fully no matter where they are or where the data is. It may also cover non-EU citizens when in Europe which is perhaps what the article you read was referring to or had misunderstood.

It seems slightly unclear, but generally a lot of interpretations seem to be focusing on the location of the person. An American buying something in a European airport is protected by GDPR during their fleeting pass-through of the "GDPR zone".

https://www.hipaajournal.com/does-gdpr-apply-to-eu-citizens-... seems to suggest it is based on location. There would seem to be standing for anyone based in Europe that made an account when considering a move to the US, or who is based in Europe next Friday when the "data processing operation" occurs. That seems like it would give them standing, even if they weren't protected while overseas, as this is a new data processing operation.


Please don't make your team work on a U.S. holiday weekend for this. Just don't hit the deploy button on this change and now there's no deadline and no need for crunch.

I don't want a public profile of any kind on your website.

There isn't a spin you're going to be able to put on this that's going to change that what you're doing here is diametrically opposed to my goals. You knew that, which is why you tried to sneak it past everyone.

The problem isn't that people think what you're doing is unethical. The problem is that what you are doing actually is unethical.


> The problem isn't that people think what you're doing is unethical. The problem is that what you are doing actually is unethical.

In order for this to hold, there would have to be objective ethical claims which were independent of what people thought about ethics.


For now. What about the future? I just don't trust any company which changes the agreements without asking for my consent. In this case I just want to close my account and delete all my data. Seems like impossible. In Europe after making things like this they could end in jail for breaking GPDR rules. In US it looks like it's fine to gather user's data, sell them without consent, and then forbid to close accounts. And there are always people who repeat "the company is fine, they have right to do it". Except they don't.

Your site is a job search site so the fact that someone has an account means they have been job hunting. This is not like Stack Overflow or Hackernews that you seem to like comparing the profiles to. StackOverflow may have job search functionality but it started as primarily something not related to a job search so my having an account there doesn't mean I have been job hunting.

Your SO account was also never private, didn't contain "test scores" for job skills, and was never a repository of sensitive information about you that you only allowed them to have because you trusted them to keep it private.

I've seen some epic CEO fuckups but this one is special.


The message you should have received is that this should be opt-in, not opt-out. You're abusing your users' privacy. Screenshots don't change that.

What you're doing is wrong and unethical, period. Do the right thing and walk back this ridiculous plan. Until then, I will do everything I can do to avoid your service and have others in my network do the same.

Just the fact that someone used your service is a signal for their current employers, it might be used against employees during lay-off rounds as interpreting it that they are 'on the market'. In the current employment climate that is super dangerous. I strongly urge you to reconsider this re-use of data, especially for EU citizens where all use other than the one for which the data is gathered is illegal. See also: GDPR, specifity as well as the section on mandatory opt-in for future use.

Note that you are opening yourself up to major legal and financial liabilities, besides the obvious personal ramifications, ie: you're on the record as a sleaze unless you handle this with velvet gloves from here on in.

https://en.wikipedia.org/wiki/General_Data_Protection_Regula...


> 25(2). The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons.

You may wish to consult your privacy attorneys; you'll likely be the subject of a number of GDPR complaints considering the above.

My interpretation of the above if you were to do it within the letter of the law (again, talk to your attorneys; I'm just a security director):

1. opt-in via settings page (or a modal on next login) for all people who already have accounts.

2. opt-in during registration for all people who choose to register accounts after the roll-over date.

Again, talk to your attorneys. If you successfully roll over without having taken the suggestion to talk to your attorneys, your conversation with your attorneys may change from "how to best implement this" to "how to avoid getting fined."


I interviewed with TB a couple of years ago. Didn't do too great in the technical interview. Is that about to be public?

Same here. It's annoying that a technical aptitude test that I took when I was a freshman in college might now be publicly viewable as a benchmark for my skills.

And I know the e-mail says that results will only be shared if you did well. But, if you have a profile on TribleByte and there's no signal on your profile that you did well, the only logical conclusion is that you did not do well.

I'll be deleting my account, anyways. I didn't ask for this.


Similarly, I took a test in a language I’m not very familiar with to understand the process. I’m not terribly embarrassed, but I don’t want that publicly available.

See I did fantastic in the interview, but the interviewer was a noob :/

Edit: To be fair in their survey i think i said something like this sounded good, but it was phrased as "be part of an exclusive club of competent engineers" rather than "show current employer you're interviewing because you clicked on a banner add. And my whiteboard code had a bug.


Still, please don’t do things that need actual consent in IRL (making something that was private, public)

If your new service is of true benefit, it will be used.


What makes you think anything on your TripleByte profile was ever "private." It was not. It was merely hidden from the majority of the world. If you have a TripleByte profile, presumably, at some point, you were job hunting, and likely advertising that fact to anyone you thought could help you.

> GDPR 25(2). The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons.

> What makes you think anything on your TripleByte profile was ever "private." It was not. It was merely hidden from the majority of the world. If you have a TripleByte profile, presumably, at some point, you were job hunting, and likely advertising that fact to anyone you thought could help you.

Are you arguing for this change? Whatever the argument is seems to be based on misinterpreting 'private' as 'known by no-one else'. Exactly the same argument could apply to e-mail: it's not private in the sense that no-one else sees it, just hidden from the majority of the world; presumably, when you sent it, you were advertising what it said to the recipient.


Dude, just make it opt-in. It's that simple.

Thanks Ammon. I requested to delete my profile (I was trialling to see if we could use your service for our hiring pipeline. Narrator: we will not).

You shouldn’t expose a public profile for accounts that were private before anyway. Is that move even legal? I’m pretty sure it’s not GDPR compliant.

YOU are not in a position to determine what will or will not undermine me at my employer or my business partners. You can still fix this. Make it opt-in for existing users and opt-out for new users. Simple.

I am very glad that I sent you all a rude message requesting my account deletion a few years ago, this is an awful response to a huge issue. Good luck with the recruiting business when no one trusts you!

Wow, what a dumpster fire.

The CEO coming in here and trying to defend that this is actually a great idea is only making things worse.

I'm guessing they don't operate in Europe, because this would be a massive violation of many European and national privacy regulations.

Maybe they should take a hint from this - the fact that they can pull it off in the US doesn't mean it's morally acceptable.


If they ever interviewed an engineer from EU then what they are doing is very much illegal, it doesn’t matter even if company is based on USA.

Engineer in the EU, even if they are US citizens - there are over 100,000 US citizens in Germany, not counting current military or their dependents.

I have the beginnings of a profile there, despite being conspicuously in Germany, because I took the test and applied to be an interviewer.

Too many people think US citizen != EU resident (and therefore not a data subject covered by GDPR)


I can't find even the place to delete my account. It seems like it's not even GDPR compliant which is the standard these days for data compliance.

As owner I would not plan any European trips anytime soon.

Hard to find the opt-out button. You have to sign in, go to your "profile builder" [0], and then click the very low contrast "Visibility settings" button just below the top of your profile.

[0]: https://triplebyte.com/candidates/profile_builder


Talking about dark patterns, the email was sent after 5:00pm on a Friday before the long week-end.

Triplebyte team knew that their users were not going to like it and did their best to slip this through.

Triplebyte went from being a respectable company helping skilled hackers by-pass white-board interviews to being a prime example of unethical tech company in one stroke.


They've been sketchy since inception. I was in a very early batch, if not the first, in 2015.

Remember that the premise was that they were non-adversarial, anti-gotcha interviews, whiteboards, nit-picky algo implementations from memory, etc. They purported to do some qualitative analysis instead.

We schedule a session and I get the confirmation: "This is a chance for you to go into more depth, and show us something that you've built. This will not be a high-pressure interview." I get at email the day before our scheduled session that says, "Remember that we're going to talk to you about a project that you've worked on," as agreed.

The following day, just a few hours before our appointment, a founder emails me saying, "Just wanted to give you a quick heads up that rather than walking through a project today, you'll be doing some programming together with an engineer."

They duped me into an adversarial interview. That kinda thing grinds my gears, but I went along with it anyway. I get the response: "We really enjoyed it and thought you did great. We'd love to talk more with you and invite you to a second technical interview."

I opted out as this continued. They acknowledged that they were changing things around without telling people, but it was just so antithetical to the mission that it became disingenuous.

When you pair that attitude of disregard with fact that they're playing sociologists, it's a bad look.


Wow, it's like it's following every dark pattern in the book. Wouldn't have found it out myself.

It's a master class in dark patterns. I guess they figure this will be good in the long run, but I'll never trust anything from Triplebyte or Ammon Bartram after this.

Easier to find the "delete account" link...

https://triplebyte.com/privacy-center


It takes 30 days for any of these, actions to take place, but the window in which it was announced is a week. Something seems off.

And you need to have logged in already for the delete to work, after which you get an email to approve the request which ends up with this notice of requiring government id as well. Govt Id, really, what are they thinking here?

```

We're processing your request and should be done within 30 days.

We will verify your request using the information associated with your account. Government identification may be required and we may ask you for more information in order to verify your identify.

```

Triplebyte has definitely been the worst experience I have ever had, in fact they are so bad, i would rate them below the other unprofessional recruiters we all come across!


This corresponds to the 30 days allowed for GDPR:

"Under Article 12.3 of the GDPR, you have 30 days to provide information on the action your organization will decide to take on a legitimate erasure request. This timeframe can be extended up to 60 days depending on the complexity of the request"

I deleted my account today and will issue a GDPR request if It doesn't get deleted.


I did this exactly right now and super pissed on what they are trying achieve by this jumping around the hoops

Note that I clicked that and got an email saying that it would be automatically reactivated in 24 months. I would just delete your account at https://triplebyte.com/privacy-center

Thanks for this, there is no way I would have ever found this without your post. It definitely seems like this link is intentionally hidden.

Anyone else just get another unsolicited email from them?

Subject: Triplebyte explained, from coding quiz to job offers

"Hey there, I'm Tyler, one of the engineers here at Triplebyte!"

This hours after opting out, setting privacy options, and deleting account.

Crushing it guys...


And to delete account you have to email them.

I have a few guesses about this:

1. Triplebyte knew this would cause some outrage, especially on HN and Reddit. 2. Triplebyte did some calculations and predicted that doing this on a Friday and only giving people a week to opt-out would result in the fewest number of opt-outs. 3. Triplebyte assumed that many of those outraged online would delete their accounts. 4. Despite all of the above, Triplebyte calculated that this move would make them more money in the long run.

I’m also guessing that these profiles will serve ads. I bet Triplebyte will offer “premium” plans for both job seekers and employers so that they can directly contact you more easily.

I hope this change incorporates necessary privacy measures for job seekers. I hope that this doesn’t become a 1-to-1 LinkedIn competitor that only seeks to get clicks and ad revenue. Only time will tell. I’m very skeptical but I won’t rage yet. I’ll opt out for now and see how it goes...


> doing this on a Friday

Was it Friday of a three-day weekend? That's one of the best news dump days of the year.


Yep, Monday is a holiday (if you happen to have a job, and have a job that gives paid holidays)

If you, like most people in this thread, find this incredibly unethical and/or potentially damaging to your relationship with your current employer and as a result you are trying to delete your account, do one thing first:

Obfuscate your information before you hit the delete button!

Change your name, change your address, change the email to a throwaway, etc.

Yes, they -might- delete your information when you ask, but do they deserve your trust that they will get this right? If you are deleting your account you implicitly are saying you don’t trust their ability to manage this situation the way you would.

Keep in mind one likely outcome of this event is that they go out of business. Whoever buys their assets may well end up with a trove of data that includes your details.


and what does stop them from using backups with unchanged data anyways?

At least for internal/statistical purposes.


The goal is to prevent public profile with your real data first. If they publish backup of your profile it would be next level violation of trust

If they are _determined_ to use your data, they will have backed up before they announced this and saved it off somewhere. Normal backup mechanisms won't get the job done, though, because they typically age out. GDPR and CCPA both require backups to explicitly not allow for restoration, although of course they could ignore both.

WOW!

Amazing that company founded by a former YC Partner could be so tone deaf. Just because their business is failing and they want to pivot into a LinkedIn competitor does't make it my problem.

Dark opt-out patterns send on a FRIDAY before a 3 day long weekend to hide facts from us, with crazy convoluted methodology for deleting accounts, and buried opt-out...

This is shady as hell, and thinking that you can "explain" it to us here and that we are wrong and you are right, and if we had just a little more "Facts" we'd change our mind, tells me everything I need to know about the leadership and future of this company


Triplebyte was already a joke, this was the straw that broke the camel’s back.

Their whole “Fast Track” program claiming to allow you to skip technical interviews is a total fraud of a marketing ploy.

They make you take a 2 hour live coding interview with a Triplebyte engineer, with the promise that if you pass, you won’t need to do any more technical interviews with companies through Triplebyte, only “final-round personality-style on-sites”.

The reality is that any company who contacts you is STILL going to run you thru their entire interviewing process. The extra 2 hour interview with Triplebyte is literally pointless - and any company you try to discuss this “policy” with will be caught confused and off guard.

It’s no surprise to me that a company that blatantly lies about their offering would do some crap like this.

Shame on Triplebyte for their fraudulent and dishonest nature.


"They make you take a 2 hour live coding interview with a Triplebyte engineer, with the promise that if you pass, you won’t need to do any more technical interviews with companies through Triplebyte, only “final-round personality-style on-sites”."

I was never given the impression that there would be no more technical interviews after the Triplebyte one. They were always crystal clear with me that there would be 2 steps for each company: a 30 minute non-technical "pitch call", and a final all-day onsite. They never implied the onsite was non-technical, and I never took it to be.

I think the value proposition is that you skip almost all of the back and forth footsie before the onsite. In my experience it was worth it. There were some companies I interviewed with, not through Triplebyte, where I had 7 or 8 calls before they would bring me onsite. I get it, they want to make sure they're sure before they pay for a hotel and a flight, but it is a big hassle.


Thanks for sharing! They told me there would be a 30m pitch call followed by an all day of on-sites that were explicitly not whiteboarding sessions or technical assessments. Also, I still did have several back and forth calls with companies I was connected with - it wasn’t just the one half-hour call and then on-sites.

Here’s the exact email from TripleByte upon passing the quiz:

“ Here's how it works: 1. We'll show your profile to companies that are likely a good fit. 2. The companies will request interviews with you. 3. You'll be able to review the requests, and accept the ones you're interested in. After you accept an interview request, the next step is an introductory phone call where you and the company get to know one another. The companies that work with us all agree to skip technical screening, and take you right to the final interview (saving you time). To get started, complete your profile so that we can find the right companies and roles for you. After you complete your profile, you'll also gain access to our exclusive Triplebyte Alum Slack community, which can help support you throughout your career.”

> The companies that work with us all agree to skip technical screening, and take you right to the final interview (saving you time).

Define technical screening? To me this means that I’m already technically screened. They also have changed their copy. The copy on their landing site around FastTrack used to be much more explicit around skipping all technical assessments.


Most companies define their process as something like Phone Screen (recruiter) -> Technical Screen (engineer via phone or take-home project) -> On-Site (mix of culture + tech). Triplebyte helps you skip those first two steps.

I agree that the terminology could be more clear, but it seems like they borrowed existing lingo from recruiters here.


I haven't tried Triplebyte, but my reaction is that obviously I'd want to skip the on-site tech part and not the others, so I could probably be tripped up by my expectations even if the actual way it worked was mostly disclosed.

Thanks for your point. That’s fair, it’s not a straight lie - they are using the ambiguity to their advantage. That is still dishonest IMO.

This email is sufficiently ambiguous that it would definitely mislead at least some of their users. Given how shady and scummy the rest of the company's practices seem to be, it's hard to believe this ambiguity isn't by design.

Now that I read what you quoted it does sound ambiguous. It doesn't explicitly say that the final interview is non-technical, but "skip technical screening" could be interpreted as implying that.

I guess they aren’t straight lying about how many interviews you’ll have, but to me riding that line of ambiguity with no course of action or any metric around what a technical screening actually is presented to the interviewee, it’s just as dishonest of an approach in my opinion.

I think they went out of their way to make the whole thing as vague as possible, and hide the value proposition, possibly because they didn't really know it themselves, and tried to be "flexible" to pivot and cater to everyone.

The whole proposition was to:

* charge $500/onsite to the employers (that's often way below what it costs to bring an out-of-state candidate to Cali for an onsite — Triplebyte intentionally low-balled the cost for the travel arrangements of an onsite to waste everyone's time on pointless onsites), and,

* bring candidates for a whole week of onsites to a given physical location (you were limited and encouraged to have up to 5 onsites in SF Bay and up to 5 in NYC, e.g., you'd spend a whole week (5 nights) at each location if you were to get and accept enough offers for the onsites, where both you and the employer have to make a decision after a single 30 minute phone call).

They did this by booking really bad flights out of far-away airports (unless you push back); really bad hotels in the most shady areas (unless you push back); not covering the hotel on the final day at the location (decent SF Bay always cover both nights) and requiring red-eye flights; and not covering per-diem, even though it's the industry's standard practice to cover per-diem; and also not covering airport parking or mileage to the airport — all of these items are always covered by all other companies hiring directly.

Because no employed candidate could simply spend two weeks interviewing all over the place, they've obviously prayed on the unemployed people, by misrepresenting the opportunity, and doing a bait-and-switch at the final minute in regards to the travel arrangements, once everything else is already in place.

---

I think the biggest proposition and the selling point was for the startups to cheaply access out-of-state candidates for $500/onsite, and then offer a lower salary because it's been scientifically proven that salary expectations are lower for people moving to SF Bay Area from out-of-state (e.g., look at the study that Hired did a few years ago).

I was determined by Triplebyte to be in the top-3% of folk — I was accepted by Triplebyte after passing the 2h technical interview with one of their engineers; but my onsites weren't particularly aligned; and Triplebyte did several misrepresentations and dragged their feet throughout the whole process as well.

I would not recommend Triplebyte to anyone until they raise the price of an onsite to maybe 750 to 1k per onsite for the employers and cover travel in full for the candidates (including parking, mileage and per-diem). Low-balling the cost of the onsite results in employers giving these left and right without much thought; the candidates aren't even informed that standard travel costs won't be covered, in fact, Triplebyte does the opposite, and claims that it covers all travel expenses, which is a big lie.

---

However, do I think it's a good idea for Triplebyte to pivot to tackle LinkedIn? Yes, most definitely. Triplebyte introduced candidate certificates a while ago, but I don't think these were particularly marketable the way they've been implemented in the past; it's also not particularly clear how it'll work from the financial perspective, because it costs real money to do all those 2h interviews.

Is it a good idea to require an opt-out instead of an opt-in? Yeah, if you could not follow such a sleazy business practice and make yourself available to potential FTC oversight for 20 years, that'd be great. I won't be logging in to toggle any settings, because I'd rather not disqualify myself from the extra fun of being a part of the class!


> The extra 2 hour interview with Triplebyte is literally pointless - and any company you try to discuss this “policy” with will be caught confused and off guard.

Their contract with Triplebyte stipulates that companies that use their service aren't to incur additional technical interviews, and according to the Triplebyte representative I talked to, apparently the company has legs to enforce the contract if a candidate informed TB of a breach.

When companies try this, and pretend to be confused when there is push back, it's because they got caught with their pants down trying to breach an expensive contract.

It was my experience that every company, big and small, that I interviewed with through TB did on-site technical interviews anyway. In the end, the value-add of TB was that you could filter out many of the companies on the platform because of how cavalier they were to dance around their contractual agreements with their recruiting agency.


I tried deleting my account and apparently it takes 30 days for some reason! That looks so shady!

  We're processing your request and should be done within 30 days.

  We will verify your request using the information associated with your account. Government identification may be required and we may ask you for more information in order to verify your identify.

  Any questions? Email us at privacy@triplebyte.com

> Government identification may be required

Ah yes, the classic "send us more of your PII to delete your information." I've ran into that too many times.


It's a horrible way companies try to discourage data subjects from exercising their rights.

This is not lawful under both the GDPR and the CCPA. If Triplebyte follow through with their request against an EU or California resident, they'd be breaking data protection laws.

If comments here are any indication, too many people, being unaware of their rights, may fall for it though.


This is not lawful under both the GDPR and the CCPA. If Triplebyte follow through with their request against an EU or California resident, they'd be breaking data protection laws.

IANAL, but they may already be in violation of the GDPR with the 30 days processing time. While the GDPR states 30 days as the upper bound, the article about erasure also states:

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies [...]

Notice the phrase undue delay. It seems that the legal interpretation of undue delay is as soon as possible [2]. Since the sign-up for Triplebyte seems to be immediate (you just create an account), they could also remove an account with a simple delete account button (remove some rows from a SQL database). So in the case of most web services as soon as possible seems to be with the click of a button to delete an account itself. Allowing a few more days for changes to propagate through storage systems and backups.

For anything longer, they should probably come up with damn good reasons when this is brought to court.

At any rate, they will have more serious problems if they make citizens public for people in the EU. They'll open up themselves to a huge liability. You are simply not allowed to use data for other purposes than what the data subject gave explicit well-informed consent for. And no, burying somethings in the terms and conditions is not explicit consent.

[1] https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...

[2] https://www.linkedin.com/pulse/term-without-undue-delay-cont...


> This is not lawful under both the GDPR and the CCPA.

INAL, but from my understanding that's exactly what GDPR itself suggests to do:

> The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers.

Thats mainly because [2]:

> There is a very real concern of fraudulent requests from bad actors, who might use a customer’s data for nefarious purposes.

While it's great to know that noone else is able to delete my account, it still feels shady af.

[1] https://eur-lex.europa.eu/eli/reg/2016/679/oj#d1e1374-1-1

[2] https://konfirmi.com/blog/gdpr-personal-data-id-verification...


That's only true if they don't have another way to verify your identity, not if you're logging in to an account using your username and password in order to delete it.

Is there a privacy preserving alternative to sending a scan of your drivers license/passport? Can you get a notary to attest your identity, and you send them the notarized request?

If the ID wasn't required for the account creation, why is it needed for the deletion?

Well I live in France and will certainly not send them my ID. Lets see how they respond.

Update for fairness: 11 hours later, I got the email confirming my account deletion. (Without having to provide any ID)

If you are in California, CCPA might be of some help.

Article 4(b) actually states that to verify you you (for a data delete request), they must do their best to use info they already have on you, and "Avoid collecting the types of personal information identified in Civil Code section 1798.81.5, subdivision (d)"

and in 1798.81.5,(d)(1)(A)(ii) we see: "Driver’s license number"

4(c) also helps: "A business shall generally avoid requesting additional information from the consumer for purposes of verification."

So if they can verify you another way, they must, and cannot ask for the DL (likely the only ID many people have)!, if i read that correctly

So instead of jumping through their hoops, file a CCPA request and have them chew on that.


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: