Hacker News new | past | comments | ask | show | jobs | submit login
Tell HN: Triplebyte reverses, emails apology
1030 points by trianx on May 25, 2020 | hide | past | favorite | 649 comments
This just landed in my inbox. The discussion on hackernews (https://news.ycombinator.com/item?id=23279837) surely helped Triplebyte understand that it was a mistake to create public profiles of their users by default:

Email by Triplebyte CEO, Ammon: ---

Hi xxxxx,

There’s no other way to put this--I screwed up badly. On Friday evening, I sent an email to you about a new feature called public Triplebyte profiles. We failed to think through the effects of this feature on our community, and made the profiles default public with an option to opt out. Many of you were rightfully angry. I am truly sorry. As CEO, this is my fault. I made this decision. Effective immediately, we are canceling this feature.

You came to us with the goal of landing a great software engineering job. As part of that, you entrusted us with your personal, sensitive information, including both the fact that you are job searching as well as the results of your assessments with us. Launching a profile feature that would automatically make any of that data public betrayed that trust.

Rather than safeguarding the fact that you are or were job searching, we threatened exposure. Current employers might retaliate if they saw that you were job searching. You did not expect that any personal information you’d given us, in the context of a private, secure job search, would be used publicly without your explicit consent. I sincerely apologize. It was my failure.

So, what happened? How did I screw this up? I’ve been asking myself this question a bunch over the past 48 hours. I can point to two factors (which by no means excuse the decision). The first was that the profiles as spec’d were an evolution of a feature we already had (Triplebyte Certificates--these are not default public). I failed to see the significance of “default public” in my head. The second factor was the speed we were trying to move at to respond to the COVID recession. We’re a hiring company and hiring is in crisis. The floor has fallen out on parts of our business, and other parts are under unprecedented growth. We've been in a state of churn as we quickly try various things to adapt. But I let myself get caught in this rush and did not look critically enough at the features we were shipping. Inexcusably, I ignored our users’ very real privacy concerns. This was a breach of trust not only in the decision, but in my actual thought process. The circumstances don’t excuse this. The privacy violation should have been obvious to me from the beginning, and the fact that I did not see this coming was a major failure on my part.

Our mission at Triplebyte has always been to build a background-blind hiring process. I graduated at the height of the financial crisis as most companies were doing layoffs (similar to what many recent-grads are experiencing today). My LinkedIn profile and resume had nothing on them other than the name of a school few people had heard of. I applied to over 100 jobs the summer after I graduated, and I remember just never hearing back. I know that a lot of people are going through the same thing right now. I finally got my first job at a company that had a coding challenge rather than a resume screen. They cared about what I could do, not what was on my resume. This was a foundational insight for me. It's still the case today, though, that companies rely primarily on resume screens that don’t pick up what most candidates can actually do--making the hiring problem much worse than it needs to be. This is the problem we're trying to fix.

We believed that we could do so by building a better Linkedin profile that was focused on your skills, rather than where you went to school, where you worked, or who you knew. I still believe there's a need for something like this. But to release it as a default public feature was not just a major mistake, it was a betrayal. I'm ashamed and I'm sorry.

Triplebyte can’t function without the trust of the engineering community. Last Friday I lost a big chunk of that trust. We’re now going to try to earn it back. I’m not sure that’s fully possible, but we have to try. What I will do now is slow down, take a step back, and learn the lessons I need to avoid repeating this.

I understand that cancelling this feature does not undo the harm. It’s only one necessary step. Please let me know any other concerns or questions that I can answer (replies to this email go to me). I am sorry to all of you for letting you down.

Sincerely,

-Ammon




All: this thread has more than one page of comments. If you click the More link at the bottom you'll get to the others. I post this reminder because confusion appeared (https://news.ycombinator.com/item?id=23306062). We hope to go back to single-page threads as soon as some performance improvements are ready. Previous explanations are at https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que....


I am not an active Triplebyte user, but I have an account and followed the thread(s).

This e-mail (which I also got) seems like a heartfelt apology. They fucked up, realized it and turned the ship around. They listened and that's what counts for me. They listened to the negative feedback and responded to it.

Some comments around here are extremely negative of the whole situation. More negative than I think they deserve. They could've pushed through and ignored all the feedback they got. They didn't, and that's enough for to show the company and its CEO isn't utterly rotten.

@ammon Thanks for listening and participating in the discussions on HN. You made a mistake, but the fact that you responded is enough for me to put my trust in Triplebyte in the future if the need arises.


> They could've pushed through and ignored all the feedback they got.

That’s a very charitable analysis of the situation. For all we know, this decision was motivated by internal KPIs that immediately reflected what a disaster this was.

The whole situation reeks. Announcing on the Friday on a long weekend, the ceo defending it ardently in HN comments, the very deliberate decision to make it opt-in, the difficulty in disabling it. I mean, sure, this apology could be heartfelt. But that doesn’t mean it wasn’t a shady as hell thing to do, and a shady as hell way to do it.

There are really only two ways this happened:

A) The company’s culture and values are so maligned they actually, genuinely thought this was something that would excite users and go over well.

B) They were 100% aware that this move was ethically dubious (at best), but were willing to take the risk. This is the much more likely path when you take into consideration how exactly they went about it.

An apology can be heartfelt, but that doesn’t have anything to do with whether it undos the damage. And it can’t make people forget that TripleByte thought this was a good idea. That says so much more about the company and their integrity than any apology ever can.


>I mean, sure, this apology could be heartfelt. But that doesn’t mean it wasn’t a shady as hell thing to do, and a shady as hell way to do it.

just a classical SV startup - "it's better to ask forgiveness than permission" . This time though we, SV tech, did it to ourselves and thus there are such loud and so many screams of pain - because it is our own pain.


What's left me confused is one thing: if the significance of "default public" was missed, then what was the motivation for the previous warning email? It seems bizarre to suddenly email everyone "Hey folks, we're changing your default privacy settings next week" while simultaneously believing that it's... an insignificant thing?


My Guess, someone on the team understood the ramifications but others did not. They only thing they someone could get them to agree to is the email

I have been in meetings where everyone in the meeting though "doing X will have no impact on anyone so there is not need to notify", where I knew 100% they were wrong but none of my arguments landed, my final statement was "well if it is not significant then the email should not matter either so why not just send it out just in case."

These things do not happen in the vacuum, and while it is good the CEO is talking 100% of the blame, I can assure you the CEO had internal support and internal dissent for the feature.


Makes sense I guess, thanks. Going a little off-topic, but regarding what you mentioned -- how do you reply when they (inevitably, I often feel) reply to your 'why not' with "Well because we shouldn't send out needless emails to people"?


You're making a false dichotomy there - there aren't only two ways. They could also have sincerely not thought about how this new platform would behave given the opt-in nature of it.

There have been similar incidents throughout tech history (and history in general) - it's not always that the culture is bad. It's also sometimes an honest mistake (at least, thinking through the ramifications of it is).


You must have missed the part where the CEO actively defended the decision on Hacker news when confronted.


"maligned"

Their culture and values have been much maligned, but you mean malignant. Please don't take this personally, it's just that it seems like this misuse of the word is going viral.


I actually really appreciate your comment. Thanks for letting me know!


While we're clarifying, the decision was opt-out - everybody was included unless they took action to be excluded. Opt-in means that you're not included unless you take action to be included.


thank you, I appreciate opportunities to improve my English


I wish I could upvote this more than once. Their conduct on HN proves this was not a case of "rush" and "churn" resulting in ignorance of consequences. This was simple greed and the decision that the profit from screwing their users would outweigh the backlash. The only reason they backpedaled is because the backlash turned out bigger than they expected. They're not sorry and they will fuck you again the moment they decide it's worth it.


Rofl chill out. There are a million shades of grey between your midnight black and Christian white.

First, this was not shady as hell. Shady as hell would be selling your data to a 3rd party and never telling you. Not-shady is building a feature, seeing negative feedback, and cancelling that feature.

It’s more than likely they had discussions and came to a decision through thoughtful discourse, rather than knowingly saying “fuck the user”.


> This e-mail (which I also got) seems like a heartfelt apology.

Even if it is heartfelt, I'd argue that if no alarm bells went off internally when they were discussing this feature, they are not the group of people to entrust with information such as this.


Given the prevalence of comments like this, I wonder why any company would ever bother offering an apology or retraction.

As soon as a company does something that a chunk of people on the internet don’t agree with, there’s really no way out. They’re going to get bad press regardless of whether they retract, whether they apologize, and whether they say they’re taking actions to avoid the sequence that led to the action in question.

But alongside that, for every time the internet mob has risen up over a company’s action, very few companies seem to have experienced major long term effects. I bet everybody knows a few people who have quit Facebook/GitHub, or who rage about Oracle business practices or MongoDB stability, but these companies still manage to keep trucking along.

In light of this, I’m mostly surprised that Triplebyte bothered apologizing; it seems unlikely to do them any good, and it’s unclear to me whether continuing course would have actually done as much harm to their bottom line as the prior Hackernews thread appeared to indicate.


The current position is "sorry for breaking your trust, please trust us". It's hard to find it compelling.

> Given the prevalence of comments like this, I wonder why any company would ever bother offering an apology or retraction.

To project my own opinion onto others: these comments are warranted because an apology has no actual value. The fact remains that Triplebytes can still do this if they wish to, and they are constrained only by what they can manage to slip past their users.

There's a stark asymmetry in the digital space, where service providers are protected by the legal language in their TOS or EULA, but the users have to trust that the service provider will not act outside their interests, and with no recourse. By contrast, in a normal contract negotiation, there will be an opportunity for both sides to ammend the contract to better serve their interests.

If Triplebytes wanted to show that they will not attempt to do this again, they could break this asymmetry and constrain themselves in their user contract, accepting all resulting liability or specifying concrete penalties if they do persue this route in the future. An apology is just a meaningless PR exercise.


> The current position is "sorry for breaking your trust, please trust us". It's hard to find it compelling.

Why is this a hard thing to do? It’s literally what everyone who ever messes something up is asking you to do.

Just because someone once committed a broken build, doesn’t mean I’ll never again trust them with access.

It’s argubly more like “sorry for being a moron, but I hear you. Please give us another chance”?


> Why is this a hard thing to do? It’s literally what everyone who ever messes something up is asking you to do.

Because you're treating a service-client relationship as an interpersonal relationship. They are not, and the same norms do not apply. That apology, and its implicit premise(s) and promise, is rooted in the norms of intimate, interpersonal relationships. Those do not apply.

When you screw up and ask your spouse's forgiveness, the psychosocial interaction is quite different from when a CEO fucks up, writes a mea culpa to the faceless masses, gets his draft looked over by a PR flack and a couple board members, and then sends it out to the highest-impact social media circles for his service and waits to see what his KPIs do.


> Just because someone once committed a broken build, doesn’t mean I’ll never again trust them with access.

I don't think this analogy is useful. An error in execution can be quite different in an error in judgement.

To offer an alternative example: a contractor decides to publish the source code to a company's closed-source software, so that they can use it as evidence of their work for their next job application.

> It’s argubly more like “sorry for being a moron, but I hear you. Please give us another chance”?

When these kinds of bad judgement happen, the person normally loses some decision-making power to stop it from happening again. This is in noticeable contrast to Triplebyte here: an apology as a PR exercise, and no material change to prevent it in future.


It's more like your best friend telling someone the secrets you told them, and then expecting you to immediately trust them again with some more.

However much you'd like to, you can't just flip that trust back on - and in a lot of cases, it'll never fully go back to the way it was.

Not that we should personify company-customer relations - this was a decision that would have been taken by a lot of people expending serious effort to get it out the door. It's not a single lapse in judgement, but a continued expression of different values.


You make it sound like an innocent mistake, but they must have discussed this issue and decided that violating their user‘s privacy is acceptable. It’s not like they made a typo, it shows malintent.


There’s a distinction between a mistake and an unethical decision.


Break the build, okay we give you a second chance, delete the database and all backups when you were hired as the DBA? You're probably going to be looking for another job.


Lol did this actually happen to more people then I'd assume? Anyone got a good: IAMA dba that deleted all our data?


Ask Gitlab.


I guess what's missing is the corrective steps they are taking to make sure a mistake like this doesn't happen in the future. I think even a short statement like "In the future, all feature plans will undergo a thorough review by an independent or in-house privacy expert before being greenlit." would give me more confidence that they understand that this was a privacy incident and not a PR issue.


> An apology is just a meaningless PR exercise.

Not to mention this terrible default practice landed them some great pr to start with and the apology gives them more (this time "good pr")


For the Cambridge Analytica case, FB had to pay $5b. there is recourse.


Which is particularly damning given it wasn't even FB's fault.


> Given the prevalence of comments like this, I wonder why any company would ever bother offering an apology or retraction.

Correct. I don't want apologies or retractions from companies. I want postmortems.

This is really no different from a technical outage, e.g., "As a result of a bad deploy to prod on Friday, all Triplebyte profiles became public." Why was it not noticed in testing? What is the testing process? Is profile privacy part of the testing process or part of code reviews? What are the practices around making changes that affect user privacy - is there a culture of asking questions about it up front, etc.?

Most importantly, what changes are being made to prevent a similar outage from reoccurring in the future? I really couldn't care less about how bad the CEO feels about it - sure, the CEO probably should feel bad, but feeling bad is not a reliable mechanism. If the CEO said "Bwahaha, I wish to profit and I learned over the weekend that my profits were in danger, so I changed course" but then says that in order to maintain his profits in the future he added an external privacy council that reviewed all major new initiatives (or whatever), that would actually be a lot more useful than contrition.

Now, yes, it's true that basically no company does public postmortems of decisions that they needed to walk back (at best you get blameful postmortems that end with a key executive resigning, but most of the time that doesn't help anyway - either the executive wasn't the problem, or they were the problem and they already spread the bad culture to others). But I think it was pretty rare until a couple of years ago for tech companies to do detailed public postmortems of internal outages, and that expectation has slowly changed. I think we should push for the same change for non-technical incidents like this.


If there's one comment I think the CEO ought to take to heart, it's this.

I'm sure the CEO has been taught that good leadership means fessing up when you've screwed up, and to an extent that's true. But it's also an act of ego to assume full responsibility. Ego got them into this mess, most likely, and it will not get them out of it.

The CEO needs to realize there was a systemic failure. It's not just about him having an epiphany – it's about surrounding himself with people, processes, and values that can help keep a runaway product idea from breaking their customer base ever again.


That sounds like an excellent idea.

And I absolutely agree that the feelings of the CEO matter less than putting in place some proper procedures.

Profit ain't bad.


You can’t install business processes to prevent unethical decisions. You can only hold the people making those decisions to high ethical standards, and replace them when they fall short of those standards.

Now, I suppose it may be possible that the CEO in this situation dramatically misunderstood the situation. It may even be possible that he had good faith even as he militantly defended those misunderstandings in previous threads. But from the perspective of trust, I can’t get past the suspicion that he’s just sorry that he got caught.


You can install business processes that give chances for unethical decisions to be reviewed and identified, though. Committees are shit for innovation but relatively effective for squashing interestingly bad ideas along with any interestingly good ones.

I read the apology letter as essentially saying he single-handedly drove the idea, in part because he was flailing due to COVID killing their bottom line, and was tunnel-visioned enough to not recognize it was unethical. Even at face value, that’s absolutely troubling for a CEO in TB’s domain. But smarter people have done dumber things under pressure, and sometimes dumb is at someone’s (or a lot of someones) expense by mistake.

So I’d like to think this was an exceptional occurrence, and I appreciated his personal post-mortem of sorts. However, taking this as charitably as possible, a process-oriented RCA focused on how he’ll keep his runaway ideas from being a one-man show—or whatever the problem actually was that saw this conflagration actually see light of day—wouldn’t suck.


I still don’t like the idea of hamstringing the CEO’s ability to make executive decisions because the CEO can’t be trusted to make ethical executive decisions. Processes are fine for preventing operational mistakes, but when it comes to ethics and executive judgment, they’re a poor substitute for having trustworthy people making the decisions.


I think you'd still want some sort of business process for "hire ethical people" - because there is a huge business process being implemented from all your team managers and all your board members for "make money in whatever way you can" (or, in the case of a startup, perhaps just "grow in whatever way you can"), and you want something to counteract that beyond just one person's conscience.

Potential business processes include "ask about ethics as part of culture fit, and have a good sense of what you mean by 'ethics'," "ask about ethics as part of promo / do not count projects that put user data at risk towards promo," "vet investors for their ethics and see how their other investments are doing before allowing them to take a board seat," etc.

An ethical CEO will probably be doing many of these anyway, which is fine. You don't need to formalize them. It's fine for the CEO to say, for instance, "Ordinarily I would have put the brakes on this via this particular means, but I failed to notice because of this unexpected circumstance. I'm sorry and this is how I'm going to make sure I notice and make the right decision next time." (That is't too far off from what was actually said, actually, except for the bit about how to make decision-making more robust in the future. Everyone, ethical or not, fails to live up to their expectations of themselves at least occasionally.)


> I think you'd still want some sort of business process for "hire ethical people"

I absolutely agree. But this only works if the top leadership are themselves ethical people. If they are unethical or even neutral, it’s going to backfire. Instead of hiring people for their backbone in terms of pushing back against unethical decisions, it turns into hiring people for their willingness to conform to what they are told.

> It's fine for the CEO to say, for instance, "Ordinarily I would have put the brakes on this via this particular means, but I failed to notice because of this unexpected circumstance. I'm sorry and this is how I'm going to make sure I notice and make the right decision next time."

Definitely. But you only get to use that excuse so many times before it starts to lose credibility.

> That is't too far off from what was actually said, actually

Here I disagree. To his credit, Ammon has taken full personal responsibility for pushing this through, even over internal objections. It’s not a failure to notice something that happened when you’re the one doing the thing.

The resolution is also more personal than procedural: be more conscientious about your users and listen to people who object to your ideas. Demonstrate that you can do that over time and you can regain trust.


They should be more trustworthy than this, for sure. But sometimes a poor or harmful decision is still an operational mistake that comes down to poor information or comprehension. If it were to become more apparent to me that this was a deliberate lapse in ethics, I’m sure I’d be more where you’re at.

As it is right now, I’m giving some charitable credence to the idea he’s the CEO equivalent of the skydiving photographer that, in his passion to get a great shot, jumped out of his plane with no parachute. It certainly may end up having an analogous effect on Triplebyte’s credibility.


Maybe so. But in the general case I think individuals typically have much better moral judgment than processes and organizations. And the individual whose moral judgment ultimately prevails is the one who makes the decision. It’s not something that can be delegated.


> Processes are fine for preventing operational mistakes, but when it comes to ethics and executive judgment, they’re a poor substitute for having trustworthy people making the decisions.

Exactly this. The only thing that _might_ actually make me trust Triplebyte with my data again is if their current CEO actually stepped down to a less influential role. If I were part of the board I'd actually be advocating for him to step down or be forceably removed if possible.

He didn't put a stop this catastrophic breach of trust after being made aware of it. Even worse, he seemed to have actively drove this forward in spite of opposition. I'm simply not willing to trust a company where he's the top-level decision maker with data as sensitive as they're dealing with, apologies or not.


Exactly. I went through their process to delete my account on Saturday or Sunday, and still received their apology letter. This suggests my account was not deleted?


They could delete almost all the data in your account, but still hold onto your email address?


Why would they need to keep your email if you have deleted your account? To spam you? To sell your email to spammers?


I mean, I can accept an apology when I can somehow understand the initial intention. In the thread the CEO was answering "but stackoverflow also has public accounts!" to people explaining why this was a very bad move. The guy seemed completely clueless. It was like trying to explain that hurting people is bad to someone who has just punched you in the face. And this guy justifies his move saying that he has watched a boxing match and that seems a normal thing to do. And then the day after that he finally understand for some reason? The apology is useless because the harm done is too great.


I was clueless. The posts I made Friday night were what I thought at the time (which was badly wrong). I was still focused on what I'd been thinking while we were developing the feature (still trying to make it "work"). What it took was a bunch of friends and mentors reaching out Saturday morning (and basically telling me I'd made a big mistake and betrayed the trust of our users). I wish I'd been able to understand this sooner based on the original HN thread. But it took me some time.


I think the issue is that many (most?) posters can't understand how this decision could have ever been made in the first place and how could it have been so strongly defended? It speaks to some sort of fundamental disconnect about what is acceptable handling of user data and privacy. This naturally leads to mistrust about less visible policies that are in place or will be created. What decisions have been made in the past and/or will be made in the future that are less visible to users that will similarly abuse users personal data? I think everyone appreciates the apology very much, but the unfortunate truth is that this business requires trust and this debacle has eroded that trust in a way that can't be quickly repaired by a simple mea culpa.


It seems convenient to be clueless. Certainly makes for a better apology than "Of course I knew the issue but wanted to try to push it through."

To me it doesn't seem credible that you as the CEO of a recruiting company didn't realize the issue of "default public" profiles. You literally have a section about confidentiality on the front page of your website so you must have known it was important to users.


I'm just as upset as the next guy, but it's a bit silly to presume that he knew how bad this would be. If that were the case, even if he were a greedy, evil, selfish bastard, he wouldn't have rolled out the feature because he would understand the backlash.


Users are obviously not the customer, and recruitment business is shady in itself, sadly. No wonder.


Why did it take friends and mentors reaching out when hundreds of users had already been telling you the same on Friday?


I don't have a great answer. I guess just an entrenched/combative view of what was going on? I'm not proud of it.


It is because he thinks he is above us, who listens to the cows when you sell milk.


If you are that clueless you shouldn't be running a company.


But no harm was done? It’s like he enthusiastically told you he was going to punch you in the face next week and you told him that’s a bad idea, so he stopped.


The fact that you had to tell him that punching somebody in the face is bad, is sufficient reason for me to never wanting to deal with that person again.


I've definitely punched people in the face by mistake. They even forgave me!


> Given the prevalence of comments like this, I wonder why any company would ever bother offering an apology or retraction.

Because the people running the company have a conscience which causes them to feel bad and want to apologize when they harm people? Are we really entertaining the idea that the only reason someone might apologize is if it benefits them?

It's disturbing to me how absolutely normal your comment is on Hacker News. There's a significant portion of HN whose entire concept of ethics seems to be, "if it's profitable, it's right" and who can't imagine any motivation except profit. Over and over again we see profitable corporations doing terrible things and people on HN defending them on no other grounds but the fact that what they are doing is profitable. And when people disagree, it's almost always because the profitable corporation's actions affect them directly. All I can conclude is that a significant number of HN users are just amoral, which is terrifying, because a lot of HN users hold positions with significant power.

And before you tell me that everyone acts selfishly--no, they don't. I've met hundreds of wonderful people in my life who were generous, honest, kind, and/or brave, at great personal cost and risk to themselves. The behavior you're engaging in isn't normal, and it's not okay.


> Because the people running the company have a conscience which causes them to feel bad and want to apologize when they harm people? Are we really entertaining the idea that the only reason someone might apologize is if it benefits them?

>... And before you tell me that everyone acts selfishly--no, they don't. I've met hundreds of wonderful people in my life who were generous, honest, kind, and/or brave, at great personal cost and risk to themselves. The behavior you're engaging in isn't normal, and it's not okay.

I can see that you’re trying to be charitable, so let me try and be charitable in return.

I actually kind of agree with the comment you’re responding to, but I don’t interpret it the same way you do. A normal, moral person like you or me will apologize out of genuine guilt. But then again, a normal, moral person like you or me doesn’t operate a business in a way that betrays the trust of its users.

I don’t think everyone acts selfishly. But I do think that some people do. And even a selfish person would want to try and convincingly feign remorse for their selfish actions once those actions backfired and were no longer in their own self-interest.


> I actually kind of agree with the comment you’re responding to, but I don’t interpret it the same way you do.

I think akerl_ is saying that companies shouldn't bother apologizing when they do something wrong and get caught.

I think that's some "lizard person school of business" shit that has no place in a civilized society.


That’s one way of reading it. Another, more cynical reading is that if companies are amoral in the first place, why do they bother issuing insincere apologies that don’t actually benefit them? Less of a, “companies should be sociopathic” and more of a, “why do these sociopathic companies behave in this way that’s inconsistent with their otherwise-well-demonstrated pattern of sociopathic behavior?”

And sure, maybe the answer is that they’re not sociopathic in the first place. But that’s a very non-cynical answer. Credulous, perhaps.


This, essentially. But more specifically: if I were in Triplebyte’s shoes, I’d have probably done one of two things:

Either just release the feature anyway, and maybe default it to opt-in for people with existing content, maybe make it “only content from $now forward is public”, something to that effect.

Halt the feature, but expend the minimum possible effort on the message out: “Hi all, we’ve reconsidered the feature in light of feedback. Thanks, CEO”.

It’s not clear to me that applying more time/effort to explaining themselves to the world has done them any benefit. There’s the bulk of people who didn’t notice / don’t care, there’s people who are permanently angry, and there’s people who are going to want to see actual changes before they revisit.

The people who work for a business are incentivized to live lives that let them sleep well at night, but it’s entirely possible for them to learn from this experience and behave differently in the future without bothering to respond to the mob.


So basically, if you were in TripleByte's shoes, you'd react without conscience?

You have accused me of misinterpreting your intent elsewhere, but really I don't know how you expect me to interpret this that would cast you in a more positive light. You're saying you would do unethical things, so I don't think I'm off-base to say you might be unethical.


It’s not “without conscience” to change the default from opt-out to opt-in and it’s not “without conscience” to withdraw the entire feature citing negative feedback, so I think that’s a very uncharitable representation that you’re making.


I'm specifically reacting to akerl_ saying that they wouldn't apologize because there's no selfish benefit.


I think the point is more that elaborate apologies and mea culpas don’t actually help anyone. They don’t help the company that does them and they don’t really do anything for us as customers either.

As a customer, am I going to believe TripleByte is sincere when they apologize to me? Maybe, but probably not. The only way to be sure is to judge them by their actions.

And in this case in particular, there’s not technically anything to apologize for since they never actually rolled out the feature.

Any liar can make beautiful apologies without meaning a word of them. It takes an honest person to demonstrate conscience through their actions.


I’d like to live in a world where businesses apologize and adjust their behavior when they make mistakes. I think it would be great if they’d do that regardless of internet mobs.

My point above is that I don’t think internet mobs incentivize businesses to behave that way, and in fact it seems that apologizing to the mob, or adjusting behavior in response to things the mob does not approve off, are counterproductive for the business. They continue to take heat for the wording of their apology, they get another wave of media coverage about the thing the mob is pissed about, there’s not really any visible upside.

Given that, I’m surprised more business don’t just ignore the angry people on the internet and just proceed as-is, continuing to rake in money from the people who aren’t outraged.

But maybe I’m just a lizard, unfit for your civilized society.


> I’d like to live in a world where businesses apologize and adjust their behavior when they make mistakes. I think it would be great if they’d do that regardless of internet mobs.

Okay, great, so we're in agreement.

The incentives applied by dissatisfied customers aren't about getting companies to apologize: it's about getting them to behave in a manner such that they don't have to apologize. If you want to discuss whether there are better strategies that dissatisfied customers might employ, that's something I'd be happy to discuss.

If you actually want businesses to apologize and adjust their behavior as you claim, then it makes sense to look at how customers can make that happen.

Point being: if your goal is to actually help people harmed by corporations, calling those people "internet mobs" who "ragequit" and then analyzing whether it's profitable to apologize to them is a pretty strange way of communicating that goal.


To be clear: I do not think that the behavior shown by internet mobs is effective at causing businesses to behave better.

I’m not looking to debate whether or not you agree with my word choice for “the people on the internet who loudly protest companies who do stuff they disagree with, and stop using those companies’ services out of these disagreements”.


> To be clear: I do not think that the behavior shown by internet mobs is effective at causing businesses to behave better.

Neither do I, and I'd be interested to hear how you think people could do better.


Check out the original HN topic.

It would be one thing if he apologized immediately after people pointed out the flaws in their plan.

But he didn’t.

He ignored all the objections, and defended his decision over and over again.

He clearly didn’t care.

There is huge difference between “whoops, we didn’t think things through, sorry about that” and “after seeing tons of people cancel their account, let’s pretend that I’m now truly sorry.” Especially when he had a history of building shitty social networks.


Yeah it kind of feels like the reversal came only after hundreds? of people deleted their accounts.


> hundreds? of people deleted their accounts

Two thousand: https://news.ycombinator.com/item?id=23304097


Link?


https://news.ycombinator.com/item?id=23284667


Thank you!


https://news.ycombinator.com/item?id=23279837


Thank you!


You offer an apology because it’s the right thing to do. You fucked up and you want to own it and recognise it. Once you realise what you’ve done, respecting yourself as a man/woman depends on doing it.

It shouldn’t be for gain. In fact if apologies always led to a positive outcome they would mean less and the world would be a worse place for it.


I think the general expectation for an apology is that it allows you to maintain a relationship you do not want to lose.

Obviously is a bit harder if you hit-and-run someone’s pet dog.


I mean I deleted my account. They probably realized they're getting a ton of account deletions and went back on it.


Probably which is mentioned in the email. “ Last Friday I lost a big chunk of that trust. ” which translates to account deletion


I also deleted my account and encouraged others to do so. I'd love to see their account metrics and to know whether the reason for the decision reversal was primarily driven by individual email responses, HN/reddit outrage, or mass account deletion.


> Probably which is _weasel-worded_ in the email. “ Last Friday I lost a big chunk of that trust. ” which translates to account deletion

FTFY...


He originally said they got around 2000 deletion requests since sending out the original message. That comment appears to be gone from this page now, but another commenter concurs with my recollection.

It's hard to gauge significance without knowing a number of total users, but I imagine it is a relatively strong hypothesis that there is significant correlation between regular browsing of HN and having an account on his service.


> That comment appears to be gone from this page now

I think you're running into the pagination problem: https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...

If you scroll to the bottom and click More you should find it. Edit: yes, it's there: https://news.ycombinator.com/item?id=23304097.


> Given the prevalence of comments like this, I wonder why any company would ever bother offering an apology or retraction.

I wonder why anyone would ever place a non-zero value on an apology from an organization acting in its own interests. A company isn't a single person acting in isolation and ignorance. It's a profit-seeking entity organizing a whole number of people of various levels of conscientiousness and intelligence, and pointing them at a single profit-seeking goal.

When that many-limbed organism grabs at a profitable course of action, it's not an impulsive accident of blind flailing. If that turns out to be a problem and they have to reverse course, it's not because of remorse.

They did what was in their interest then; they did what's in their interest now. People confusing corporations for actual, you know, people absolutely baffles me. Their apologies mean absolutely nothing, good or bad, but how bad a hit their business appeared to take and how good their copy writer was. That is all.

As another poster said, and I agree wholeheartedly, I don't care for apologies, I care for post-mortems. The only thing that matters is what operations led to this action, and what change in those operations will prevent it happening again - if any such change can prevent it. A public mea culpa with an executive's signature on it means... well, nothing. Absolutely nothing. It's the cheapest possible way of reclaiming good will, and worth the paper it's written on.


Just as with a person, you'd need them to also demonstrate a series of correct decisions, and moving to give greater accountability to their actions before trusting them again.


>As soon as a company does something that a chunk of people on the internet don’t agree with, there’s really no way out.

And yet, tons of companies had done that, and suffered very little. Heck, any company has done something that "a chunk of people on the internet don’t agree with"...

It's not about never doing anything wrong, or it being futile to apologize.

It's about, you don't do THIS kind of privacy affecting changes without publicly announcing it first, and without red flags raised internally that it might not be a good idea.

That's a good thing to instill in companies, whether this one apologized or not...


Given that there don’t seem to be actual business repercussions from the internet mob’s displeasure, and the internet mob’s displeasure, once roused, cannot be quieted by apologies, changes in behavior, or explanations, it’s unclear to me that we’re actually “instilling” anything in companies, other than the lesson that it’s not worth bothering to pay attention to the internet mob.


> Given that there don’t seem to be actual business repercussions from the internet mob’s displeasure,

2000 account closures is an actual business repercussion.

> and the internet mob’s displeasure, once roused, cannot be quieted by apologies, changes in behavior, or explanations

It absolutely could. As a member of said "internet mob" (I deleted my account) I'll say that yes, an apology by itself is not enough, but an apology combined with a long-term change in behavior would absolutely cause me to stop criticizing them and maybe even create an account again. If, for example, they remove a bunch of dark patterns from their site and change their terms of use to give specific guarantees of data privacy, that would go a long way in my mind.


I will bet you $20 that Triplebyte does not make any long term changes to remove dark patterns within the next year, and that they also continue to do just fine without those 2000 accounts.

Additionally, even if the 2000 accounts were enough to cause business impact, the idea that they’d need to demonstrate long-term change to win back those users is effectively irrelevant. They may as well put their efforts into gaining new users to replace the 2000, rather than try to repair the burned bridges. The return-on-investment for making “long-term change” to win back people who ragequit their service is low, especially since those people self-select for “people likely to ragequit again if they disagree with future company decisions”.


Well, you're certainly leaving out big parts of the equation. Like: they can court new users and try to repair burned bridges. Or: the people who quit, and the narrative around why, certainly affects their ability to court new users.

But ultimately, you might be right--maybe the net effect of not apologizing would be negligibly different from the net effect of apologizing. I don't have numbers to say you're wrong, but you don't have numbers to say you're right.

But as I said elsewhere, why are we even talking about this? You seemingly have complete, disdain for users who are concerned about TripleByte using their data against them, calling them an "internet mob" and accusing them of "ragequitting". Are you capable of empathizing with users at all? Do you have a conscience? Why are we talking about this as a strategic problem when it's an ethical problem?


I’m not sure how you expect to have a productive conversation when, in this and parallel comments, you’ve made several insinuations that I’m a conscienceless lizard person.

But to be clear: Triplebyte’s specific situation is a an ethical issue only in respect to the fact that they planned to enable by default for existing users. That’s a bad move. They’ve stopped the bad move.

I’m more interested in the overall pattern of “company does thing, people disagree with thing, people express outrage to company, company issues statement”. Which in many cases has zero ethical components.


> I’m not sure how you expect to have a productive conversation when, in this and parallel comments, you’ve made several insinuations that I’m a conscienceless lizard person.

Your reaction that perhaps corporations shouldn't apologize when they do something wrong if it have any selfish benefit, does lack conscience and is a wholly inappropriate reaction to this situation. Discussing the self-centered strategic merits of apologizing from the perspective of a sociopath isn't a productive conversation.

However, I'm not one to write people off based on one interaction. Just because you've reacted without conscience in one situation doesn't mean you would do so in all situations.

> But to be clear: Triplebyte’s specific situation is a an ethical issue only in respect to the fact that they planned to enable by default for existing users. That’s a bad move. They’ve stopped the bad move.

There are more ethical issues than that--they haven't stopped them all.

> I’m more interested in the overall pattern of “company does thing, people disagree with thing, people express outrage to company, company issues statement”. Which in many cases has zero ethical components.

Which is irrelevant in this case, because this case does have multiple ethical components.

And, more to the point, this is still an ethical question. Apologies are never about benefiting the person apologizing. Apologies are inherently an ethical action--if you claim that the company didn't do anything wrong, then they shouldn't apologize. Not because it doesn't benefit them, but because lying about being sorry isn't ethical.

"Should a company lie and pretend to be sorry when they haven't done anything wrong?" is still an ethical question, and you're looking at it from the perspective of selfish gain is still an inappropriate way to look at it.


I appreciate your candor in pointing out that you don’t consider my perspective to be appropriate.

I suspect, in light of that, that we’ve bottomed out the utility of this thread.


I read your guys threads... I want my 5 minutes back.


That's probably the greatest lesson companies could learn at this point.


An apology is not a "get out of jail free card," it is a good first step on the road to repairing users' trust. They still screwed up and have a long way to go in my mind.


Apologies maintain norms and standards. They define the lines we shouldn't cross by noting areas where they were crossed.

We should reward apologies and punish those who don't. Our failure to do so is creating a market incentive that will destroy or weaken valuable norms.


> We should reward apologies and punish those who don't.

We should expect rather than reward apologies, and we should punish both people who fail to apologise as well as people who apologies but fail to follow through on changing their behaviour.

Ammon so far has done no more that the minimum expected from someone in his position. Time will tell whether his actions reveal his apology to be genuine and behaviour changing, or empty lies.

Rewarding apologies that turn out to be empty lies is what gave us Facebook. I fear Ammon's ambitions are to be more like Zuckerbergs rather than less, so I'll be very judgemental and dubious as I watch future moves by Ammon and Triplebyte. Like he acknowledges, he's lost trust. You earn trust back by your future actions, not by the eloquence of your apology.


Words have no value. Actions do. This apology changes nothing, so long as they don't follow it up with actions that prove their intent.

The one action they took is that they cancelled the feature. _That_ has value. Arguably not enough, but it's a good first step. I'm eager to hear what they follow it up with, but they _have to follow it up._


> Words have no value. Actions do.

Uttering (or publishing) words is an action.


Because screwing up and retracting is better than just screwing up.


It is still important to apologize so that potential or previous users can begin to form an opinion on whether or not a company can even attempt to earn their trust back. Of course an apology does not erase Triplebyte's actions, but I think that it is possible the CEO truly did lose sight of his goals and become removed from the user. The section about his experience job searching during the recession seems genuine.

Companies are becoming more sterile and calculated, and perhaps statistically issuing an apology has no impact on user retention, but I for one am glad there is still some humanity to be found even if it's a hollow gesture.

Publicly taking responsibility and acknowledging mistakes can be a powerful tool in changing. Because of this apology, I will at least monitor Triplebyte's progress to see if significant structural changes are made to keep a decision like this from being made, instead of not even giving them a chance to gain back my trust. Their actions will tell whether this apology is genuine or not.


Uh, you say this like an apology is always sufficient. It isn't. If you break the trust in a relationship and damage that relationship, saying "sorry" isn't enough. Trust should be hard to regain. Your comment reflects why companies keep getting away with being terrible to consumers. It's like an abusive relationship - some kind words, a "heartfelt" apology,and everything is back to normal so they can abuse you some more. It's not enough if they don't take any steps to improve themselves and prevent this behavior from happening again. Trust can be regained over time by repeatedly doing the right thing. "Sorry" just doesn't cut it.


The expectation is not receiving more apologies from companies, it is companies learning from screw-ups like this and not trying to pull off stunts like this in the first place.


In the context you mention, the word mob is usually understood to mean: "a large crowd of people, especially one that is disorderly and intent on causing trouble or violence"

With this understanding of the word, using the phrase "the internet mob" seems quite negatively loaded. Consider the context of companies harming their users in ways that may not be obvious to everyday people: I, for one, want people organizing to get the word out.


An apology is a company's best shot at damage control after a PR disaster. A well crafted one has obvious benefits in that it might win some people back, as can be seen from the people defending Triplebyte in this very thread.

Just because it doesn't work for everybody doesn't make it not worth doing.

FWIW the apology doesn't do jack shit for me.


I think what the company wants is to recognize their mistake.

Users can still see that... and be worried about how they came to the inital decision.

None of that should influence if you do or don't apologize.


What's with all the apologizing lately. I don't pay for people to mess up. How many mess up does your employer tolerate before they find someone else to take your place?

This isn't kinder garden, we're not here to educate those companies, they run a business, you mess up, you're out, we give the competitor a chance. That's how it works.


In the interest of providing a counterpoint: I’ve definitely made many mistakes per job at multiple jobs, without the employer “find[ing] someone else to take [my] place”.

As a user, I’m also not dropping a company that provides me a useful service at the first (or likely second, or third) mistake.

Not everybody subscribes to this one-screwup-and-you’re-done mindset that you seem to be describing.


That's not really the mindset. The mindset is: what will serve me best. If you no longer qualify, you no longer qualify.

> that provides me a useful service

And what if the service stops being useful? What is an apology going to change? No longer useful, you'll move on.

That's where I find these apologies to be a sham. It's trying to play on people's emotions, to keep them around even once they've stopped providing value and utility, or in this case, actually causing you harm.

The only reason your employers have kept you around, is because your "mistakes" were within the expected range of what people in your position will be making as well. If you fall below that threshold, trust me, you will not be kept around for very long.


Your prior comment says “... you mess up, you're out, we give the competitor a chance. That's how it works.”

I’m saying that’s not how I approach my interactions with businesses. As you noted in your reply, employers expect an employee to make mistakes within a reasonable threshold. I have the same expectation for companies that provide me services. Making a mistake does not suddenly evaporate all their “usefulness” to me, as you seem to be suggesting.


That's just because we're using weasel words.

When I say "mess up", I imply a quantity of mistake that is beyond acceptable for the value I get.

You seem to quantify "mess up" to a much smaller degree, like "mess up" implies a reasonable set of mistakes.

So we're not discussing the same scenario, due to us quantifying "mess up" to different degrees.

It seems if we normalize our quantity of "messing up", that we actually fundamentally agree. No amount of lack of or of providing an apology really affects the consequence. Mess up within reason, you don't even need to apologise, as long as I'm still getting good value I'll continue to be a customer. Mess up beyond reason, and an apology won't help, as soon as I'm no longer getting good value, or if you're actually providing me negative returns, I will begin to look for an alternative.


People do make mistakes. Sometimes people really do just fuck up. We're only human. All of us. Whether you're a CEO or just a worker. Whether it's even heartfelt or not, it's nice to see someone without any bullshit or wishy washy words, just straight up say, sorry everyone, i really fucked up.

Personally, i appreciate the honesty from people, whether they mean it or not, it still takes some bit of honour and humbleness to openly admit your mistake. It's not an easy thing to do and i can appreciate the effort it takes to come out and just straight up say 'yeah i'm an idiot and i fucked up pretty bad.'

Plus, the way i look at it, you always have to remember, no matter how badly you fuck up, you're not that dude that fucked up the space station and caused a slow oxygen leak that had to be repaired with a risky space walk and even he was forgiven...probably.

ETA: Just to add to this as i've thought of it. Years ago, somebody i knew stole a few hundred dollars from me and disappeared. I thought i'd never hear from him again. A couple years later i got a random phonecall from him. He didn't have my money or anything, but he had the guts to call me and apologize and admit he'd just straight up ripped me off. I've never heard from him since and i'd never trust him again, but i respect the nerve it took for him to do that.


How many times have we heard Zuckerberg say "I'm sorry, we let down our users" in a eloquent and humble and seemingly heartfelt way, only to find they were right then in the middle of an even more brazen abuse of their users?

Do you suppose Ammon truely realises this plan was a totally unacceptable betrayal of his users, or that he admires and aspires to be Zuckerberg still?


I haven't heard Ammon call his users a bunch of dumb shits and repeatedly do shady things and i've never heard him directly apologize without somehow not only insulting users but saying a bunch of hypocritical shit and contradicting himself.

No I doubt he truly realizes it. There's no way he can empathize or truly understand the needs and worries of people using his service. But, like I say, I respect and appreciate upfront admission of wrong doing. I don't think anyone should trust them.

Tryplebyte fucked up, anyone believing this shit wasn't intentional and planned to derive revenue from users during an obvious downtime is naive. The mistake was not realizing this was a horrible idea and continuing to such a ridiculous thing. They should be abandoned. But I respect the admission of the fuck upery.


Key words: "how many times"

Ammon has done this once. I think everyone deserves a second chance, and maybe even a third. Zuckerberg has had way more than that.


>Even if it is heartfelt, I'd argue that if no alarm bells went off internally when they were discussing this feature, they are not the group of people to entrust with information such as this.

On one level I agree with this, in that I don't think 'heartfelt' is a fair metric. It's subjective, it's a ritual, and on some level the demand for performative contrition feels to me like something that doesn't have well defined parameters and past a certain point doesn't serve a purpose.

What is important to me are the statements that acknowledge error and recognize what made it a bad thing to do. Those seem on-point to me and, insofar as apologies go, I'm not sure what else should have to be said.


Both the heartfelt-ness and the acknowledgement of error are things that talented writers at crisis management agencies oe OR firms or even internal comms teams can ghostwrite for anyone. All they tell us is that someone (not necessarily the person who fucked up) recognises what the right things to say publiclly right now are. Apart from Ammon's ability to accept words assigning blame to himself, we can not really read anything more into those words.

Lets wait and see what he, and the entire team who didn't stop this before they launched the idea to significant negative outcry, actually do in the future.


He dropped it on the Friday before the biggest holiday weekend of the year. He knows what he's doing. He's done it before, and he's still doing it. Just pulling power moves. Move fast and fuck shit up.

The dude has personally tried to pull fast ones on me. This is a fucked company since day one. I brushed it off, but when you keep up these patterns for years...jog on.


>The dude has personally tried to pull fast ones on me.

Can you clarify?


> biggest holiday weekend of the year.

What holiday was that? I wasn't aware of any. In any case, I'd say Christmas is probably the biggest holiday, although it doesn't always fall on a weekend.


The holiday weekends in the United States are MLK Day, Presidents' Day, Memorial Day, Labor Day, Columbus Day, and Veteran's Day.

This past weekend was Memorial Day for those in the United States.


In the USA it’s a long weekend with nice weather. (Nicer than typical Christmas winter, anyway)


> if no alarm bells went off internally when they were discussing this feature, they are not the group of people to entrust with information such as this.

On the other hand, once shit hit the fan, you could argue that these people would be extra-careful about fucking it up again, as opposed to another company where everything seems silently OK.

It's a bit like the story of the engineer who did a 400.000 dollar mistake on his first job. Asking the manager if they were going to fire him, he was told that no way they were going to fire somebody that just cost them so much money to train!


> On the other hand, once shit hit the fan, you could argue that these people would be extra-careful about fucking it up again

In my experience with Facebook, Google, and a variety of smaller companies, this doesn't happen.

To people who think the way TripleByte apparently does, the fuck-up was getting caught, not violating trust in the first place. If they had no moral issues with betraying users, they won't have any in the future (unless executives and board are replaced).

Instead, they will pay more lip service to privacy concerns and be more secretive about violating user trust.


So Go Daddy after the first "We're sorry..."?


I also read a story on HN where a devops engineer made a $80k mistake and got fired. He got hired at a new startup and the founder thought "of course he won't make the same mistake twice". He did.


Anyyyy chance you happen to have that link handy? Terrible misfortune but sounds like a good read.


https://news.ycombinator.com/item?id=22719573


At least we can be sure lightning won't strike thrice!


I wouldn't count my blessings!


> It's a bit like the story of the engineer who did a 400.000 dollar mistake on his first job.

The primary reason not to fire this person is that if something like this can happen, it's a process failure.


They're undoubtedly going to have to do more to make things right in the future for those who have been following this issue, but it's at least refreshing to read what seems like a genuine apology. If we can take away anything from this, it's that Triplebyte actually understand why people were upset over this. I've read lots of apology emails where those in charge clearly either didn't understand the problem or they were dismissive towards their consumers.


We want to do something more concrete to guarantee user privacy going forward. A technical solution would be best. But short of that just a really strong, transparent commitment (that makes it easy to hold our feet to the fire if we screw it up again). But I could not get this together before the email today. I'm expecting to announce something in the next few weeks. I agree with people here when they say that actions are what really matter. I screwed up enough that I don't certainly don't think an apology alone makes it better.


> A technical solution would be best.

This is another error in your thinking.

You can't solve failures in human understanding with technical solutions.

Your first instinct is going to be too try to cite counterexamples - but that only proves the point.

You're in a business that deals with people. You can't eliminate that with technology, and the fact that you think you can try is what makes you dangerous.


> If we can take away anything from this, it's that Triplebyte actually ...

... have a decent crisis management or PR firm on retainer.

Which might be as much of a red flag as the initial fuckup...


> have a decent crisis management or PR firm on retainer.

On what basis do you say they have a firm on retainer?

I think many/most CEO's in this situation would make some calls to get advice on how to manage the situation -- I don't that is a red flag.

If they don't take strong, concrete steps to mitigate these kinds of problems in the future, I will have less confidence and trust in their company.


There was a study about surgical fuckups. In almost every case, multiple people in the OR admitted they recognized the problem but were too scared to speak up because the surgeon said things were going fine.


The same issue was found to be the cause of plane crashes: the crew knew that something was going wrong, but did not feel that they could contradict the captain (or the captain just wouldn't listen). This gave rise to the practice called Crew Resource Management (CRM):

> Crew resource management formally began with a National Transportation Safety Board (NTSB) recommendation made during their investigation of the 1978 United Airlines Flight 173 crash. The issues surrounding that crash included a DC-8 crew running out of fuel over Portland, Oregon while troubleshooting a landing gear problem.

> The term "cockpit resource management" (later generalized to "crew resource management") was coined in 1979 by NASA psychologist John Lauber who had studied communication processes in cockpits for several years. While retaining a command hierarchy, the concept was intended to foster a less authoritarian cockpit culture, where co-pilots were encouraged to question captains if they observed them making mistakes.

Source: https://en.wikipedia.org/wiki/Crew_resource_management


Do you have a link to the study?

I certainly believe it. Projecting my own anecdotal bias, most surgeons I've met have been a special kind of arrogant.


Same happened for pilots

https://www.linkedin.com/pulse/20140217220032-266437464-asia...


The pilots' case is subject of entire chapter in the book outliers.

Book is... of oscillating quality.


I can't find the specific study, but it is part of the third part of the book The Power of Habit.


That last part is called the God Complex. Many surgeons have it.


Many engineers complained about the risks before the Challenger disaster. Management suppressed the concerns and championed incorrect risk math in order to justify it.


This is more sensible than people in this thread seem to think. The company emitted a signal about how they reach decisions — you can debate the strength of it but it makes sense to update one's priors accordingly. Hey, path dependence is a bitch.


I'm surprised they didn't consider beta testing the feature with a subset of users to see how it'd go first.


According to one of the CEO's replies in the other comment thread, one of the drivers to push forward was that they need to meet their sprint goal.

I don't have any inside information but it seems that this could also be a case of the downsides of deadlines. They set a deadline and then all other considerations go out the window when trying to meet that.


For anyone who thinks this is too ridiculous to be true, here is the CEO confirming this was rushed out to meet a fake-Agile fake deadline, without regard for how it might affect users or developers:

https://news.ycombinator.com/item?id=23280137


I am trying to evaluate this as fairly as I can. "Sprint" is one of those words that just ... sets me off. I have to remind myself to be rational and measured in my response.

Having said that, "sprint" is not a word I associate with thoughtful progress toward a reasonable goal. What it does say is "rush forward in a heedless manner" and "don't think, just run."

Another artificial deadline dressed up with terminology that encourages plunging ahead without due consideration.


Lol. Gotta have priorities. That's some serious b school negative work.


Yeah, I think that's certainly part of it. I'll try to be more careful with sprints going forward. But I made the initial plan for the opt-out release before the deadline. So it was also just a pretty bad loss of perspective on my part.


Whoa! Deadline was a reason to push a feature which is big and privacy violating one. Can a bank say due to deadlines we made passwords not encrypted ? The feature which is your core cannot be part of deadlines. If they really intent of user protection, they would have de-scoped it to next sprint.


We did user research about the profiles, but not (crucially) about the opt-out release. That was the fuck up.


In a state that permits users to delete their entire data forever and ever, hallelujah.

golf clap

(One of the 2,000+)


Both a cynical and wrongheaded answer.


It's like they don't even internet.


Even the greatest of apologies is not a time machine that will completely undue what happened. A C-level/director-level team pushed out a massively privacy violating policy with zero feedback in an effort to compete against an incumbent company (LinkedIn) on a Friday afternoon.

It reeks of they-raised-too-much-money-and-now-have-to-do-BIG-things syndrome and would seriously discourage me as either a user or enterprise customer, as if the AI/machine-learning BULLSHIT didn't already do that. They're a recruiting company that took a sucker punch with CV-19 and effectively tried to sell their user data as a get out of jail free card.

The saving grace is that LI Recruiter is a trash product (for years...) and they could probably eek out a consumer net-good by bringing more competition to the market, if only they went about it the right way.


People screw up. It happens. I accept the apology.


You are right, and the apology sounds genuine, yet my feeling as someone working in IT myself is that their culture cannot be one that values privacy. If your users entrust you with their information deciding about what to throw away, what to keep, what needs to be anomyized, what private and what public is literally why people would trust you.

It can happen, but if it does maybe you are the wrong person for the job.

The question really is: in what kind of mode would you have to operate in order to forget that you users might want to have a say in the publication of their data? That is like a restaurant waiter forgetting to ask people what they want and bringing them a single random things instead.


For myself, I don't expect corporations to be paragons of virtue. I just try support the ones that are less screwed up. Everything is flawed. If you don't accept that, honestly ask yourself if you could build something bigger than just yourself that didn't have to make compromises you'd rather not make.

Every company that can help me find work is flawed, and I don't wanna start my own company any time soon. Heck, I am flawed. The best I can do is better than nothing and worse than perfect.


Really even if it’s a bank or a financial entity. Here it is privacy


Sure, Triplebyte made a dumb move here. But “massively privacy violating” is hyperbole.

It seems as if everything is considered “private” now. No, not everything is private. You interviewing for a job isn’t private unless both parties make it private with a legally binding contract. It is a mistake to wishfully label public information as private simply because we don’t want it to be public. It also makes it harder to talk about true violations of privacy and distracts from understanding the real issues at stake.

What people ought to say, and have often said here, is that it is a violation of trust. People trusted Triplebyte to find them a new job, not lose their current job. That trust was violated not by an invasion of privacy — it is their data as much as it is ours — but a violation of using that data in a harmful way.

Privacy isn’t the problem here. The problem is with whatever broken processes led to this bad product and poor decision.


> You interviewing for a job isn’t private unless both parties make it private with a legally binding contract.

I would gently suggest that you look into the idea of "reasonable expectation of privacy" which has a long history in the courts.


I'm in a different industry, but I read the HN thread about it a few days ago. In the CEO's comments, I saw a lot of 'I'm sorry you feel that way' type of apologies. I wrote that he should take responsibility for his own actions.

Perhaps he read that and took it to heart. Perhaps he read that and realized it would sound better if it seemed like he took it to heart. Perhaps after the monumental PR screw-up, they hired a PR professional that wrote the apology.

Who knows. Actions speak louder than words.


My personal belief is that any educated, native English speaker who peddles in non-apologies like "I'm sorry that YOU feel that way" is to be avoided as much as possible (socially or professionally). In my experience, these are typically the same people who will do other weasel-y things like tell lies by omission and justify it to themselves (and others) by saying didn't technically lie so what's the big deal?

Indeed I've learned this the hard way.

Having said all that, the above apology goes even farther in accepting personal blame than I would have expected... so I'd be slightly torn on this one if the cynic in me didn't know he was likely coached heavily in crafting it.


Your comment was the first thing I thought of when reading today's email. I hav worked most of my life as a secondary math and science teacher, and one of the things we teach all students about communication is "I statements."

This email is full of sincere I statements. Whether it comes from reading your comment or just reflecting on the whole situation, this is about the best response I could have imagined a few days ago. It accepts responsibility, and shares the thinking and feeling behind getting so far from where they should be heading.

I don't have a TripleByte account at the moment, but if I did I'd be open to what they do next. A CEO who has made a major mistake and taken sincere responsibility for it in my eyes is more trustworthy than many who just haven't made their first major public mistake yet. I know we need to watch them carefully for a while, but this is about the best statement I could imagine Ammon and TripleByte putting out right now.


After digging in his heels repeatedly on Friday against a tidal wave of opposition, Ammon found a "how to apologize" book and banged out an apology, while still devoting paragraphs to defending his mistake and selling his origin myth. Even his well researched apologize reeks of narcissism not respect.


I guess he also needs some amount of reasoning to explain his mistakes. I do too, and it somehow infuriates people if an apology contains anything but ‘groveling’.

Doesn’t it show that I’ve properly reflected on how I could screw up like this so O can adjust my behavior in the future to avoid it?


> I guess he also needs some amount of reasoning to explain his mistakes.

An apology 100% does not need explanation or justification of why mistakes were made.

And if you're going to put those in, you 100% need them not to be "Our company is doing it really hard due to COVID, so we though we'd just {{monetise user data provided under strict expectations of total privacy}} "

People who beat their partners regularly say "look what you made me do!". Ammon just said "but I was going broke, I had to try this!"


They scrapped the feature so that's an action backing up his words.


Question is why was it there in the first place , so hideous, so late on Friday, one week time to update the profile. Why not more time when it concerns privacy.


The fact that it got to this point I think would be concerning:

a) No one thought this was a bad idea, or

b) people who thought it was a bad idea didn't want to say it was a bad idea (why?), or

c) people who did say it was a bad idea were not listened to (feedback was not acted on).


I wonder if searching LinkedIn/Crunchbase might reveal a small team of people with experience in the technical recruiting space who've very recently left Triplebyte?

That might be a good indicator that perhaps _they_ are the sort of people who might sensibly be trusted with job seeking personal information...


I totally agree with this. When I see corporate apologies I look for two things:

1. Actions speak louder than words. In this case, they are reversing what originally caused the outcry.

2. Did they look introspectively to try to really understand what made people mad in the first place. In this case I believe the CEO did.

If we don't ever accept sincere apologies, then we're left with a world where there is never an incentive to apologize and improve. Frankly, seeing a taste of this in US politics with politicians doubling down on their past mistakes even when confronted with all evidence to the contrary - this is not a path I'd prefer to go down further.


I look for one more thing:

3. What steps the corporation took to prevent this issue from occurring in the future.

While a believe that the CEO is sorry, I can't consider the issue resolved without #3.


This is an important point, and it's something I'm thinking a lot about right now. I don't have an answer, but I want to talk to my team and make an announcement in the next few weeks.


It is sad that you felt you had to use a throwaway account to post this totally reasonable opinion.


It’s a three year old account. Not everyone wants a HN account in their real name.


This kind of missed my point. I know this is not something we are supposed to talk about, but I miss the old HN. The sad thing is these days I get more value reading the new post raw feed than the conversations on the front page.


I didn’t miss your point. Your point was not based in reality.


Not only did you miss my point, you made it.


Tell that to TripleByte, amirite?


I'm like you, not actually a triplebyte customer, but have followed on hn.

> They listened and that's what counts for me.

The fact is that they didn't listen. The ceo ammon was here on hn clearly not listening and clearly not apologising.

I would surmise that it's only due to a flood of account deletion requests that he started to notice... Add this proves one thing: on triplebyte you are the commodity and not the customer.

Although it's unlikely I'd have ever used them, because of this fiasco you can be sure I'll be warning people away from the platform entirely, heartfelt apology or no.

For my view to change he'll have to do a whole lot more than one email. He needs to change his way of thinking and one email is no way of proving that it's happened.


+1 for "you are the commodity and not the customer"


If they're so sorry and they're listening to feedback why do they employ dark patterns such as requiring a government ID to delete an account?


That is foolish. Fool me once, shame on you. Fool me twice, shame on me.

It is too early to put trust in Triplebyte. The classic Silicon Valley playbook is to do something that crosses a boundary, get pushback, apologize, and later try again. Eventually it succeeds.

Examples:

- sharing all you financial transactions and passwords with a third party

- suppressing posts for reasons

- sharing private conversations with powerful parties

Wait and let Triplebyte prove itself with real actions instead of just talk.


So many companies issue an apology that's been composed by a PR team and edited by legal. It ends up being a wishy washy we admit nothing but care about our customers kind of statement.

It's refreshing to see a real, detailed, apology. Just taking responsibility and owning each mistake of judgment or process along the way.

My opinion of these guys actually went up a notch over this debacle.


I was about to read this apology cynically but I think this is one of the best apologies I've ever read.


Sure. Great case study for the crisis management team who got it together over the long weekend. I wonder who they were? (And which other companies they work for that I should avoid?)


I think what the critics are trying to say is that plenty of companies in the same space were not tempted to do this kind of stuff, despite all the pressures, and instead atayed committed to engineers’ privacy and putting candidates first.


Ammon was also a cofounder of Socialcam, known for a ton of dark patterns. He employed similar techniques here. If he didn’t use so many dark patterns I could forgive him.

He made the feature opt-out. He sent out the email on a Friday before Memorial Day weekend hoping no one would notice. He made the opt out button hard to find. He made the process of deleting accounts very hard, saying they required government ID and it would take 30 days.

He knew exactly what he was doing.

He made preparations for the blowback. That’s a fact otherwise he wouldn’t have taken these dark measures ahead of time. What he didn’t anticipate was getting caught and the level of vitriol he would receive.

He honestly thinks he is smarter than us. I think a person can go to the well only so many times before we have to assume they are insincere and lying.


Do you believe the part where he said he didn't realize the consequences of being default public? That part is inconceivable to me. I believe he did know the issues and decided to proceed anyway to see how bad the public reaction would be.

His actions and response are consistent with behavior. It sounds much better to say "I didn't think through it" than "I knew it was bad and wanted to try it anyway."


I disagree, the site is by developers for developers. Every developer on planet earth is well aware of privacy issues and the evil dark pattern of negative options. They knew this ahead of time, they took a gamble and shit hit the fan. The apology is not heartfelt or sincere, its just damage control.

If they want to correct this mistake, turf the product manager or make a $25K donation to the EFF as an act of penance.


If they make a $25k donation to the EFF, people will just ask “why not $50k?” or “why not pay me?” They can’t win against people who have their mind made up.


You also can't win against companies/founders who have their mind made up about acceptable monetisation strategies and PII handling.


Turning the ship around was just the only rational move from the business perspective. They thought they can pull it off, doubled down, found out they cannot. Too late now.


Do something shady, blows in your face, write heartfelt apology, repeat. Fine with you?


>>Some comments around here are extremely negative of the whole situation. More negative than I think they deserve.

Welcome to the new world of Cancel Culture, where no can ever be forgiven, excused or allowed to personally grow

The second you make a mistake will that should mean your life is over...

Society today is in a sorry state and I see no end in sight


> Some comments around here are extremely negative of the whole situation. More negative than I think they deserve

People would have gotten laid-off to this. The dark patterns are just cherry on top.

The negativity is well deserved.


The negativity towards to original announcement of making profiles public was deserved. For me, the negativity towards the CEO's apology and cancelling the feature is not.

Everyone makes mistakes and if nobody would be willing to look past that, then we'd never get anywhere.


It would have gone over a lot better if he didn't spend a couple days on HN telling people they shouldn't be mad about it.

And it would have gone over a lot better if he was honest about what happened. He got caught with his hand in the cookie jar and he's all "was that wrong? Should I not have done that?". They knew exactly what they were doing and calculated that it was worth it.


Quick correction:

> spend a couple days on HN telling people they shouldn't be mad about it.

It was actually a only a couple of hours and a few (very inflammatory and highly downvoted) comments, near the beginning of the thread, and then radio silence as the fire raged on.

I think that he took a step back and began reconsidering after realizing that his comments weren’t helping any, but because they were the only thing he said in that thread and a lot of discussion was focused on them it seemed like a lot more activity than it really was. (Not that this excuses anything, but I think it’s important to be clear about what happened.)


I suspect the board and/or legal and/or investors confiscated all his devices and put him in total lockdown...


He didn't spend a couple days on HN telling people they shouldn't be mad about it.


He certainly spent a great deal of time saying "I'm sorry you feel that way" (a classic non-apology... there's no better way to make a bad situation worse than by starting off with those words).


Yeah but not for a couple days. He got whipped by downvotes and left after a couple hours. Agreed about the sorry you feel part.


What I've come to observe is that you can never make everyone happy - a truism detached from this specific incident.

So when you receive negative feedback on something - how should you respond?

What if you're used to some certain baseline level of negativity? How should you respond then?

I feel like there is feedback on the individual level and the aggregate level. Clearly in this case TripleByte saw that they would have alienated a large and important community but I'm convinced you can blame a CEO for being diplomatic but thick skinned.

I mean this is the community famed for trivialising Dropbox


> What I've come to observe is that you can never make everyone happy

Most of us get through life without ever making that many people that unhappy all at once though. It's not like this outcry wasn't obvious and predictable to any reasonable person.


There are plenty of ways to respond. "I'm sorry you feel that way" is never one of them.


I interpret such a statement as expressing sympathy with someone's point of view, but also disagreeing with it.


It's pretty well understood by people far less experienced than the CEO (i.e. me) that you need to split those messages up.

Empathy is unconditional. It says "wow, that must be really painful/terrible/scary". It carries no judgement around the accuracy of such feelings, only an understanding that they are real for the other person.

Disagreeing comes later after you have shown there are legitimate competing solutions.

"I'm sorry you feel that way" fails at the first so you haven't yet earned the right to disagree agreeably.


What makes it complicated, though, is that some people interpret "I'm sorry" as an admission of guilt or agreement, so conservative lawyers and others recommend specifying what you feel sorry for so as to not give away the farm.


I can see how that conclusion gets drawn.

Any new feature that is announced can be met with some negativity. Sometimes it just ends up working despite that. It is not surprising to me that at first, they tried to defend their plans. It probably took a while for the backslash to sink in and their own opinions to change.

I wouldn't expect every company, even ones that target HN's primary audience to turn everything around right away because of an angry thread within a few hours. They turned around in 2-3 days. Quick enough if you ask me.

Disclaimer: I am really not in any way affiliated with Triplebyte. I am not even a user/customer. I just see a lot of negativity that I that I find unjustified.


Nobody is mad about a "feature". They're mad because Triplebyte made sensitive private data public.


They're mad because Triplebyte made sensitive private data public.

And engaged in a host of dark patterns that made it difficult for people to effectively respond to that, for example by getting the data deleted and cancelling any account they had. The problem wasn't just the original error in judgement, serious as that was. It was the doubling down on it in both the implementation and the handling of the criticism when it was announced.


This ^. This is the issue.

Calling it only a "feature" is just downright twisting the facts.


Except they didn’t make any data public. Yes, they were going to, but they hadn’t yet.


Is it possible to look too kindly at somebody? I think so. Clearly the CEO is backpedaling now that there's been a public outcry.

He's not sorry about what he did. He's sad he got caught.


What's the penalty for looking too kindly at somebody in this context?


One continues to be taken advantage of, over and over again.

Assuming good faith is not prudent when dealing with people who want your money or data. We have enough collective experience at this stage to say this conclusively.

Edit: Being cynical is the new normal when dealing with companies. Especially if they have your data, or want it.


Wait, I thought we were talking about kindness after they pulled the plug and backtracked on everything.

How am I being taken advantage of if I read that letter and think "Well, good for them to finally realize things and take the right steps"? And I hope you're not speaking for everyone when you talk about good faith.


They have not "taken the right steps", at least not yet.

They've "stopped beating their wife". That's nothing to be proud of or rewarded for.

Everything else so far is just empty words. (Well written and convincing words, sure. But that guarantees nothing, any of us could find somebody to write a great apology if we're prepared to pay. Means nothing.)


> They have not "taken the right steps", at least not yet.

So reversing and apologizing is still taking the wrong steps? Is this one of those situations where no positive descriptor must ever be uttered about someone?

> That's nothing to be proud of or rewarded for.

Good thing I never said that. I don't think we're speaking the same language here.


> Assuming good faith is not prudent when dealing with people who want your money or data. We have enough collective experience at this stage to say this conclusively.

Well said. This ought to be taught in schools.

Being slightly pedantic I'd change it to "when dealing with companies that want your money or data" rather than "people" (though I've pretty sure that's the general meaning you intended anyhow).


Until companies are run by AI, it's people.


What I mean is that I wouldn't apply the "don't assume good faith" principle to all people in all cases where money is exchanged. Like smaller "mom and pop" businesses, charities, or the self-employed for example. That's the only reason I made the distinction.


You’re assuming ill intent on a new company. To be so cynical is not a good way to view things in life. Also, they don’t want my money. You literally pay nothing to use them; they get paid (a one time lump sum) by the company who hires you


Think of it this way: If someone I trusted with my data doxxes me it doesn't matter if they do it for free!

Yes, we know they weren't doing it for the goodness in their hearts, but there's a huge leap between

- using what they know about me to sell services to others (classic Google)

- and outright selling/publishing my data to others

There's a reason why I still - despite all my dislike for Google - still respect them somewhat: they actually seems to try to guard their treasure chest of juicy customer data against both governments as well as everyone else, they seem to be in this for the long haul.

Edit: try to avoid being rude / abrasive


[flagged]


Hey, please don't break the site guidelines even if another commenter is wrong (or you feel they are). This is particularly a bad way to defend someone because readers will instinctively take the other side in response to the personal attack. Instead, please provide correct information in a conversational way, like some of the sibling replies did.

https://news.ycombinator.com/newsguidelines.html


> He got caught with his hand in the cookie jar

This confuses me. What big payout could they have gotten from making this public?


This isn't just a whoopsy mistake, this is a drastically stupid decision that brings the whole business into question. This wasn't really a technical mistake, this is bad leadership mixed with bad procedures. When you drive you boat into the ground because your "not thinking" as the captain, it doesn't remove the fact that you drove a boat into the ground. Irresponsible would be an under statement, it would be more appropriate to call this moronic.


At this point in time it doesn't matter if there is an apology or not. Like above mentioned, some would have got laid-off or for some their intentions of job search is revealed. This is much worst of an effect that an apology would do any good. He apologized so what. It is good but damage is done. Can anything be about it ?


I believe you are misinformed. They didn't go public yet.


It wasn't just an apology -- they reversed the decision before it happened, preventing any damage.

I was also furious when I found out, and still am upset at how they went about this situation in the beginning. They could've handled it much better. But they did what the community asked for, and nobody was harmed in the end. I would argue that this was the system actually working.

I think we should incourage good behavior, instead of being totally unforgiving of all mistakes. Hopefully other companies can learn a lesson from Triplebyte and think twice before making this mistake at all in the future.

I'm still not sure if I'm going to keep my account with them, but I do feel better about it


With your attitude, someone could try to something sneaky and dishonest like TripleByte did, but as long as they walk back on it eventually, it's all good.

Why wouldn't another company first try to push privacy violating changes on a Friday, when people like you are so willing to turn a blind eye to it if they get caught?

They violated trust and it's going to take a lot more than an email apology to get it back from people who care.


Did you read his comments here (on this thread)? It was that they were rushing to have this feature done earlier, but missed the deadline.


Yes, I read his initial comments and the ones here. Those very comments are the reason I am not as willing to turn a blind eye as others are. Those comments showed blatant intent to minimize the privacy violations and TripleByte's dishonest tactics. The follow up reads just like an excuse that sounds plausible to those with an engineering mindset. Given the audience of the blunder, and this site, I'd say that many users' capacities for forgiveness and second option bias are being taken advantage of.

Again, it will take a lot more than some words on the internet to gain back trust from people who care about the fact that they were tricked for financial gain.


If someone you know gets drunk and tells you they're going home to beat their wife, and you talk them out of it - they are still a wife beater. Being drunk doesn't justify it. Getting taked out of it doesn't make it OK. They totally though beating their wife was an acceptable thing to do.

Ammon got talked out of making all his user's sensitive job seeking intent public. He is still the guy who thought that was an OK thing to do. Maybe he was drunk. Maybe he was going broke. He didn't _actually_ beat his wife. This time.


"...and nobody was harmed in the end"

Consider how you would feel if a credit card or a bank did this? Would you ever trust them again?

No, you would not.


But they didn't. They cancelled the feature in time. So no real harm was done.


I thought it went already live. Misread and misinformed.


They cancelled because someone caught it and posted it here on HN. It would have been a different story if it's given no publicity


They emailed their entire user base and notified them of their intentions.

You make it sound like they tried to hide this and got caught - that’s absurd given the facts.


They gave their user base only one week's notice of the upcoming change[1], and according to the discussion in the original thread, had dark patterns in their UI that made it hard to opt out of the feature (it would only allow you opt out for 24 months)[2] or cancel your account.

[1] https://news.ycombinator.com/item?id=23279837

[2] https://news.ycombinator.com/item?id=23283237


I got the email. Your characterization is inaccurate.


I also got the email. I think the characterization is entirely accurate. (The bit about needing to opt out was badly phrased at best, and buried in the middle of a paragraph. I skimmed the email and thought it was a neat feature, and made a note to turn it on before my next job hunt.)


Since they reversed before making the information pubilc, was damage really done?


Yes, massively, to Triplebyte’s reputation.


Could you maybe describe the damage to users that has been done? It is my understanding that they cancelled the feature before it went live.


Broken trust, induced fear, damage is done.

And worse, who is to say they won't do this again later when no one is paying attention?

Do you have personal guarantees they won't?


Stress, real or imagined, is stress.


How could a CEO the one major feature they were trying to do can't think something which many caught that upfront. Its not like something, that was caught after 2 months or 2 years of a change, it was caught and discussed immediately after the announcement.


The explanation for how it actually would have worked (as opposed to how HN thought it worked) seems to clarify the reaction imo. I can totally see how they thought they were justified in the rollout of this feature. They believed it, while opt-out, was merely a badge and contained no sensitive data (compared to HN profiles).

This reaction seems way overblown. Its fine to criticize a feature but lets not pretend this is some nefarious plot that would have resulted in layoffs


> merely a badge

> This reaction seems way overblown.

A badge on a user's now-public profile at a service that's used only when job hunting. Any company that noticed that one of their existing employees had a profile at Triplebyte could guess that the employee was looking for employment elsewhere. This would not be good for their career prospects, and could easily result in the job-hunting employee being chosen for a layoff or skipped for a promotion - most companies would rather keep or promote someone who's not about to leave.


Are workers in a competitive industry such as tech really at risk for getting fired for possibly looking for new work? Having a TripleByte profile would say as much as having a LinkedIn profile. It doesn't necessarily mean you're looking for a job. And when it's extremely difficult and expensive to replace an engineer, it seems like a bad business decision to fire a worker for this reason.


This gets into all sorts of dynamics and who controls them:

-- Layoffs are happening around COVID, now who do you think a manager will feel more OK picking?

-- For luckier companies, bonuses/refreshers/promotions happen at different times, a candidate may want their manager thinking about their work vs. them exploring greener pastures

That's sensitive stuff! Some candidate may like being exposed (it's a threat!), some won't (shows disinterest! distracts!). Crucially, the question is of agency: folks entrusted TripleByte, expected privacy based on TripleByte's marketing and industry norms, and instead of having the decision, got into a world of dark patterns (opt-out, weak notification, difficult avoidance, long time delays, ...).

Edit: People are down-voting this. Consumer tech companies have been going through layoffs, generally one or more rounds of 20%. Many B2B's are on a delay, and are starting to see numbers around their b2c customers plummet: easy for more to happen as ripples continue. What could have been an opt-in feature to help folks maybe get better new positions was instead setup to add easily-avoidable risk.


I didn't downvote, but I reasonably question how much energy is put into looking if employees have a TripleByte page. Performance reviews are typically backwards looking (what did this individual deliver for us in the last year) and forward looking (what trajectory does this person have in continuing to deliver value to our organization).


Imagine an HR person using Triplebyte to recruit. As part of regular self-googling, finding folks with similar skills, etc., they'd see employees looking for new opportunities. A good HR person would notify the manager etc. of flight risk.

This won't happen to everyone, but again, it's a matter of agency. Someone at a tiny startup may not care, but someone at a bigger or more political org might might feel risk differently. It's their career, not TripleByte's.


> I reasonably question how much energy is put into looking if employees have a TripleByte page.

Right now? None. Because sensibly there is no such publicly available thing.

Any recruiter or hiring manager who doesn't at least look for a candidate's public LinkedIn page (and in those roles, they should also have LinkedIn premium or whatever it's called too) is not doing their job properly.

I have little doubt that this would have become "standard procedure" for managers when prepping for the "forward looking" section of a performance review and when making decisions about promotions/layoffs/payrises - if Ammon had got his way.


There are what, 15000+ engineers competing for that many fewer jobs? Getting fired for looking for new work looks much more possible now than it did 3 months ago.


I really doubt this.

If a company would lay you off because you have a profile on a jobs network, they’re really a shit company you wouldn’t want to work for anyway.

Not that I agree with their actions - anything like this ought to be opt in only, but I can’t see people getting laid off. I have a profile on linked in with my boss and multiple people from my company as contacts, I’ve got profiles on multiple additional jobs board both locally and nationally. I’m not really looking for a job, but I have absolutely no reason to think I’d get fired for having a profile on triplebyte (which I do as well).


Scenario: You're the boss. Your company needs to layoff one of two people in a specific role. The two employees up for termination are more or less equal in terms of performance, wages, experience, etc.

You have strong evidence Employee A is unsatisfied and looking to move on. Employee B has given no indication of such.

Which one do you lay off? Keep in mind that unsatisfied employees often have a detrimental effect on the morale of their (otherwise content) co-workers.

Answer: You lay off Employee A. And not because you are a bad CEO or bad person. You do it because it's legitimately in the best interest of the company.

Now take the same scenario and substitute a promotion in place of a termination. Which employee will get the promotion? Which employee is in your best interest to invest more money and time in? I think you know the answer.


we can make up hypotheticals all day long. Firing someone because they have a profile on triplebyte is just silly. I ge that you all need to justify your rage over this, but this really makes no sense. The world doesn't work the way you want to believe it does. I don't know, maybe you work somewhere that's normal, but if you want to call something toxic, that's toxic. No boss I've ever had would care less about my online profiles.


>we can make up hypotheticals all day long.

So you're not going to point out any logical flaws in the scenario? You're not going to tell me why it's not a useful exercise? You're just going to avoid answering it because.... reasons.

> Firing someone because they have a profile on triplebyte is just silly.

Neither of the examples I gave were about firing.

>I ge that you all need to justify your rage over this, but this really makes no sense

I don't have any rage. My comment didn't express any rage. It gave two perfectly sound illustrations of why this information being public could put one at a disadvantage.

>The world doesn't work the way you want to believe it does.

Please elaborate. How does it work? And why is your experience about how it works more "correct" than the hundred of commenters here?

>I don't know, maybe you work somewhere that's normal, but if you want to call something toxic, that's toxic.

You can prove it by answering my question. What decision would a non-toxic, perfectly reasonable employer do? What would you do? I'm genuinely curious.

>No boss I've ever had would care less about my online profiles.

Same here. Aren't we lucky. Not everyone has had the same experience as evidenced by this thread.


It's a silly hypothetical, and not worth addressing any further than I already did.

You've now admitted you're not even in the situation, so why debate for it other than internet gotcha points?


>It's a silly hypothetical, and not worth addressing any further than I already did.

You haven't given a _reason_ why it's "silly" and "not worth addressing", you just declared it so. That's not how civilized debate works and not how intelligent, honest, people disagree.

>You've now admitted you're not even in the situation, so why debate for it other than internet gotcha points?

Because I believe in privacy, ethics and get some enjoyment out of vigorous and fair debate. Sometimes my mind gets changed, sometimes I change other peoples minds. Other times, there are people who just aren't up to it intellectually and cover their ears and spew childish nonsense.

So let's cite some sources shall we?

1) According to a specialist in employment law at Dilworth Paxson LLP and author of the online law blog “The Employer Handbook” it is sometimes advisable for employers to terminate an employee looking for other work.[0]

2) According to hundreds of professionally employed developers on HN. "We feel at risk of this happening to us."

3) According to internet user jkl275. "That's silly because it doesn't match my experience. And if it is true, the company you work for is shit. Therefore your concerns are unfounded because.. well... I'm not sure. Why are you even arguing with me!?"

[0] https://blog.shrm.org/workforce/caught-in-the-act-employees-...


I’m pretty sure one can find a lawyer to argue any side of any point. That doesn’t make it so.


It makes it much more "so" than a random internet user attempting to argue the opposite without (1) providing any references or (2) putting forth a coherent supporting argument.


> you wouldn’t want to work for anyway.

Sure, but you still have a mortgage to pay and would like to switch companies on your terms rather than on your employer's terms, right? Have enough time to find the right job you want, instead of the least-worst because you're really not comfortable with being out of work in what's looking to be a long economic crisis?


> you wouldn’t want to work for anyway

That would have been much easier to say a few months ago. But now, lots of startups and even large companies like Uber and Airbnb are laying off workers. Suddenly, for many, staying at that crappy company they currently work for is starting to seem like a much better option.


[flagged]


The cookie jar argument is fine, plenty of people are making it. The sociopath thing is over the line - you can't attack someone like that on HN. I'm happy to see that users rightly flagged it.

https://news.ycombinator.com/newsguidelines.html

p.s. While I have you, could you please stop creating accounts for every few comments you post? We ban accounts that do that. This is also in the site guidelines. You needn't use your real name of course, but for HN to be a community, users need some identity for others to relate to. Otherwise we may as well have no usernames and no community, and that would be a different kind of forum. https://hn.algolia.com/?sort=byDate&dateRange=all&type=comme...


Sure, I didn't realize the account thing was against the rules.

I don't mind being flagged though. This is a [YC invested] company that just exhibited another example of the valley libertarian "the rules don't apply to me as long as I make money [or I get caught]" mentality. And hey, if that's what his priority is, more power to him! I personally think "sociopath" is an accurate label for that group of people, but sure, we can use a different term. How about objectivist? :)


For me it falls into the IPD category (Internet Psychiatric Diagnosis), which is generally a no-go on HN. https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...

Thanks for responding so nicely about the accounts thing.


[flagged]


You're getting downvoted, but you're 100% correct.

Let's be real here. This guy's business went to shit because of the pandemic, and he's panicing that he's going to get kicked out of the cool kids VC club. Then he made a big strategic boo boo to try to stay in the club, and laid on a bunch of rationalizations why that wasn't the case last week. Now, he realizes he's doubly fucked, and got a PR firm to help him do damage control.

Which honestly is fine to me. I don't care one way or the other. It's just funny to see people contort to not see the obvious.


Ever hang out with a sociopath/narcissist? They give the best heartfelt apologies, they almost make you feel guilty or something.

Not sure I agree with that. There's a very obvious example of clinical narcissism that we frequently hear about these days who seems to be a strong counterexample, in that they have never gone on record apologizing or taking responsibility for anything, even when doing so would be a clear, unambiguous winning move.

It's usually perilous to diagnose other people with psychiatric conditions over the Internet, and I don't think the case can be made for the Triplebyte CEO.


Do you have any evidence @ammon is a sociopath/narcissist?


Are you kidding? Pandering to covid-19 based urgency to release this feature?

To put it much more politely than they deserve, this company is scum.


I don't have an account there, and didn't even know about them a week ago, but based on what people posted I don't understand the drama.

They want to make profiles pubic, like LinkedIn. The public profiles only contain subset of information from actual profile. Their FAQ page says that you can enable/disable sharing of your profile. They sent email to their users announcing the change and giving plenty of time to change settings.

I don't see how could they do better than that.


Explanations in comments: https://news.ycombinator.com/item?id=23279837

Synopsis IIRC: Dark paterns, requiring ID to close account, 30 days to close account (and they quietly cancel the request if you log in), only 7 days notice, no permanent opt-out.


Ah, had no idea, thanks for explaining.

So the real issue are those dark patterns, not that much making profiles public. If they would execute it right, I think majority of people wouldn't have problems with it.


Good lesson for other founders here. Early on nobody knows you, but as soon as they do, you'll need to have chosen if you're on the trust-and-brand-building marathon or not. By default, if you do nothing, you're building up to an explosion like this that can take years to recover from.

How did the CEO, the board, the sales team, the marketing team, customer support team, and the engineering team all fail to notice and act on a gross privacy breach? How will that change?

It's good the CEO is starting to take responsibility, but an apology letter is roughly, apology, acknowledgement, explanation, and plan to fix / prevent repeat. I see a lot of "I...", but no post-mortem on how the internal culture they've built encouraged breach of trust & privacy in favor of growth numbers, and if/how that'll change top-to-bottom. For now, it remains, "I'm sorry you caught me and made me feel like the bad person I don't think of myself as." Once you think of systems and culture, and start tracing through the dark patterns around the launch and the scope of the initiative, things get uncomfortable. Hiring, on-boarding, feature planning, feature reviews, personal responsibility, feature ownership, management prioritization, trust & safety oversight... .


Ammon says a postmortem is in the works: https://news.ycombinator.com/item?id=23304127


Yes, I was responding to the apology. This should have been part of it, and is part of the lesson to founders. If you are in position of responsibility, mistakes are inevitable, and so is having to correctly apologize. (I learned the hard way.)

This incident is about a self-inflicted customer data breach. As it surprised the CEO, it suggests a full-company culture & governance issue, and is hard to be reactive about. Even when things are going well, customer responsibility & data protection should be a constant and non-obvious responsibility for everyone as soon as anything like marketing, sales, engineering, hiring, delegation, etc. gets interesting. A lot of people are involved in a major move like this and the governance structures that inform them. Think their VCs / VPs / managers / etc either signing off... or not caring.

And again, I'm writing this more as a warning for other founders. Building a culture is a constant marathon, and it's way harder to fix one. (For the CEO: I'd consult with a few folks knowledgeable about communicating apologies ASAP, esp. before any further unvetted public comms, and for longer-term, get regular external advisors + directly responsible internal leaders for fixing culture + security, and rethink why multiple internal leaders failed in both. But that's super generic.)


One of two things happened:

1. Triplebyte attempted a big move against LinkedIn, tried to ease the blow to users by dumping on a Friday before memorial day weekend

2. Triplebyte, the company built around helping people find jobs, truthfully didn't understand that people might have concerns about their current companies knowing they are job-hunting

It's pretty obvious it's #1, and that opt-out rather than opt-in was the only way it would gain the critical mass needed. The outcry hit critical mass and now they need to walk it back, until they have a different strategy for re-segmenting LinkedIn's market


I'd say it was both. I wanted to move against LinkedIn profiles, I thought that opt-out was the way to get critical mass, and I screwed up and did not realize how large a privacy violation this was.


> I thought that opt-out was the way to get critical mass

But what about following every dark pattern in the book to prevent people from actually opting out[1][2]? There was not even an option to opt-out indefinitely.

It seemed like an extremely carefully engineered effort to trick the users. How can something like this be considered "unintentional"?

[1] https://news.ycombinator.com/item?id=23280040

[2] https://news.ycombinator.com/item?id=23283237


Regarding [2] This is extremely bad, like Google+ forced-real-name-policies bad..!

(For those who wonder: that and the Buzz incident made lots of people hate or at least distrust Google.)

Why why why do companies do this?

During the last 6 months I've stopped logging into Stack Overflow. It is a nice resource but for me it is read only for now because they messed up so hard - and refused to come up with a real apology.

Same goes for Quora: they betrayed us hard by trying to tell everyone what we were looking at. (Edit: next sentence added later:) Now imagine you've been reading up about health issues and realize it is suddenly on your profile. Still now, many years later I shun them as they haven't as far as I see come clean.

In some cases, if it get caught early enough, just saying: "we messed up, sorry, here's what we will do:" can be enough.

In other cases - where there are layers of bad patterns, lies and contempt for users and volunteers I actively want to punish them until they start behaving.

Quora (broadcasting sensitive information), Google (trying to kill the web, insulting me with insanely misplaced ads for years, trying to kill Firefox), Stack Overflow all goes on my list of companies that I actively work against, but I guess only until I see real change ;-)


I think I missed the SO news. What happened there?


They kicked a mod (Monica) who dared to ask questions about the implementation of their new policy regarding gender words.

IIRC Monica asked if would be OK if she (or someone else?) wrote in a way that sidestepped the whole issue, for example by writing about "the user" instead of "he and/or she".

Again IIRC they leaked information to newspapers, misrepresented the case and issued one or more non-apologies before trying to pretend nothing had happened.


Is it really surprising that a moderator, who is meant to be enforcing the rules, protesting a "respect trans people's pronouns" rule with "what if I just stop using pronouns" didn't go well for them? StackOverflow should pick moderators that respect the spirit of the rules they're going to be enforcing.


You should read more about the situation. I think your take is quite naive, frankly.

And why it became okay to compel someone to use a certain pronoun as opposed to compelling them to _not misgender_ is absolute lunacy. Monica wanted to write her sentences in a way that did not require pronouns period, and they decided that was not okay. Not to mention all the mud-dragging and character assassination they pulled.

I’m on mobile so won’t dig up the link but go find what Monica wrote on it


This is the best high-level overview: https://meta.stackexchange.com/a/334417/302954


Sure, but moderators are elected by the community, Monica was elected before the new policy was a thing, and the community including Monica and StackExchange were discussing what the new policy was going to look like (the policy hadn't even been finalized yet, let alone rolled out) when SE went and fired Monica (doesn't matter what the reason, firing people from elected positions without consensus doesn't go over well) and dissed Monica (by name!) to the media.

And then obviously Monica crowdfunded $25k to sue SE, they came to an agreement and neither party really talks about the incident any more.

There was really no need for the situation to escalate as harshly as it did and SE shot themselves in the foot repeatedly.


It wasn't a protest, and Monica already didn't use pronouns.


> But what about following every dark pattern in the book

If the goal is to run after LinkedIn it seems a logical way to go, but they have a very strong head start on that.


Kudos for owning up straight on this.

I think LinkedIn is a massively privacy violating service, and alternatives are a very good and important thing to see. I would add one comment though perhaps helpful in the future:

One reason people here take such a vigorous stance against startups doing these kinds of "dirty tricks" is because they want real alternatives that treat them as more than a number of a row in a database. The incumbents will use opt-out techniques and consent walls, and dark patterns to grow.

But at the end of the day, they're being valued by the number of rows in their database. It seems there's a real potential to have lots of (but fewer) rows in your database, but for them to be actual valued users who get value from your service, and you make money from. Hyper growth scaling doesn't always have to be the only way. A curated network of a focused and high value verified demographic is likely worth orders of magnitude more than the incumbent, without any data selling or shenanigans.


> massively privacy violating service

And that's saying it gently.

Not sure if they're still doing it, but the way they were harvesting e-mails and then using them to spam the harvested contacts, they were no better than any other phishing site.

For people who use the same password on LinkedIn and their e-mail account, it was extremely easy to accidentally "consent" to this, and I've seen many an apology to the spam victims from someone who accidentally gave access. And they would spam everyone multiple times, with no way for the recipients to stop it. (They paid a $13M settlement for this; gladly, I assume).

It still boggles my mind that e-mail providers didn't both block LinkedIn's IPs from accessing contacts and spam-can everything from their mail servers.


Agreed - I think they stopped doing this, but I am still tempted to make a GDPR complaint on the basis I have never consented to receiving contact from them.

Looking back at my email archives, I was still getting "X's invite is awaiting your response" emails in October 2018, after GDPR began.

Perhaps I am taking an overly strict view here, but given my email address is my personal data, no amount of consent (or indeed waivers/warrants from users that they have my consent, which LinkedIn has no genuine reason to believe true) can grant them permission to store and process my personal data.

It seems nonetheless unavoidable for LinkedIn to have carried out the process of linking my email to the person that sent the (unsolicited) request. This kind of behaviour is really rather scummy. I hope that invite spam could be a separate case on the basis of a GDPR violation, rather than the "accidentally going into people's email and getting their contacts" (as incredulous as it is to even write this!)


Let’s be honest. This was out of desperation. Without this pivot Triplebyte was dead. And now it probably is anyway.

Ammon, the big money is going to be chasing cost savings as more remote workforces can now take advantage of overseas labor. The perfect storm of cost reduction pressure and remote workplace growth gives Triplebyte a great position to be the front runner in helping companies find less expensive overseas talent.


> Let’s be honest. This was out of desperation. Without this pivot Triplebyte was dead. And now it probably is anyway.

IMHO, that's the saddest thing about this. Triplebyte has a niche where they can provide value to companies and job seekers. But producing an objective analysis of someone's coding skills is expensive and doesn't scale well. They could make millions every year but it's not and never would be a billion dollar company. And it's too bad that millions is not good enough.


Applying a marginal amount of business accumen: there's other ways to get from millions to billion(s). They don't have to further monetize engineers. There's companies looking for all sorts of talent, beyond software engineers, in fact 99% of hiring is for non-software engineering roles. You can't get blood from a stone, but you can expand your total addressable market.


It's too hard to scale and protect margins. If Triplebyte proves out a business model you'll get a bunch of Triplebyte for X competitors. For example, someone will start the equivalent of Triplebyte focused on DBAs another for Erlang devs, another for embedded, etc.


Wouldn't a growing company that needed to hire for several different roles rather deal with a single service than a separate service for each specialty role?


Yeah, I'm not saying there's not a viable business there. Just not one that's going to be worth a billion dollars in a couple years.


Right; s/he is saying that Triplebyte needs to be 'Triplebyte for X.'


He was honest and completely addresses this

> The floor has fallen out on parts of our business, and other parts are under unprecedented growth. We've been in a state of churn as we quickly try various things to adapt. But I let myself get caught in this rush and did not look critically enough at the features we were shipping.

In fact that paragraph is what made me accept his apology. The reflection and honest answer of how he decided to ship this feature was more than any company apology I've heard in the past.


While for me, that paragraph highlights his untrustworthiness...

"Money got tight, so we decided to monetise your sensitive data!"


Good on you for doing this- I think the apology is great and shows TripleByte listens to feedback. I also think that taking on LinkedIn could be amazing for the broader ecosystem- LinkedIn is terrible, and anything competing against them would be awesome, so I wish you luck.


> I screwed up and did not realize how large a privacy violation this was

Riiiight. You didn't realize how big it was because you didn't care, until it was clear it was going to have a serious negative impact on you. You didn't care about the privacy of others or otherwise you wouldn't have made the choices you did.


Hey, I was complaining at you in the previous thread, so I feel obliged to say thanks for the apology and the reversal. I think the feature, IFF opt-in, is a good idea.

Thanks!


Do you have a Chief Privacy Officer? Or Chief Information Security Officer? Was the issue raised and the privacy impact miscalculated (not ideal, but mistakes happen) or were the potential privacy implications overlooked entirely?


We do not have a Chief Privacy Officer or Chief Information Security Officer. The issue was raised by our head of product and I dismissed it. I saw it as a minor concern (I'm ashamed to say).


Next time: pass it by your lawyers for a quick review if you can't trust your own judgment on things like this. Ditto for all the dark patterns you are still using today on your website, clean up your act. Note that you are firmly in the crosshairs of the EU data privacy watchdogs and that the fines are nothing to sneeze at, if you expect to establish and maintain a foothold in this market realize two things:

- trust is a crystal ball, you can drop it and break it, patch it back together again but it will never ever be the same way it was before, it can only degrade

- if you plan on being a player in this field you will have to take the privacy of your users serious, this includes doing your privacy and security reviews by the book because if there ever is an involuntary disclosure what you've seen in the last couple of days will come back hundredfold.


This is good advice, but I'll add to it. Your general counsel is an acceptable, but not great, substitute for a real VP-level privacy officer. Lawyers tend to look at privacy issues with an eye towards compliance, i.e. does this privacy issue subject us to regulatory scrutiny or open us up to lawsuits? They don't always look at these issues from the point of view of "What is our company's philosophy around the sharing of our users' data, around providing transparency and control for users, and does this feature align with that philosophy?" A dedicated privacy professional will explore that question deeply.

In my opinion, in 2020, any company that releases software and has more than like 20 engineers should have at least one VP-level privacy approver who has the power to block releases.


I hope you went back to Aaron and thanked him for that input and perhaps apologized for dismissing it. It can be really frustrating to lead something and have founders/execs shoot down your professional input, ideas, or concerns because... Well, why did you?


Though you are small and do not have an official chief privacy officer or CISO, do you have personnel that are champions of those desires? If not, nurture or acquire. If so, listen to them. This is 2020. If you look at Zoom, you can argue that security and privacy can come later, that the market will do anything for features and forgive any security or privacy faux pas. You would not be wrong, but such a calculus is what people in this forum are objecting to. People mainly feel bad that the economic incentive for privacy is weak. Are you following GDPR? Have you heard of it? A privacy move on top of your apology and retraction could differentiate your company as the privacy aware alternative, much like DuckDuckGo has made privacy its key differentiator, or, if you need a stronger financially motivating example, much like Apple is touting privacy in all that they do.


I appreciate your direct honesty here and elsewhere, but I—and likely much of your core market—feel that leverage of opt-out and old customer data to get critical mass in a pivot to an unrelated business was already unethical. That you’re a recruiter made it inexcusable but it was never a idea that was respectful to your users to begin with.

Dude, you were going to use us to publicly endorse your new platform via usage and give it immediate legitimacy, without our consent. Don’t you get that’s what “critical mass through public profiles” means? People join because people are already there?

This is probably the post that disturbs me most of what I’ve read, for simply ignoring that the decision was problematic on multiple levels. Either you’re still not completely getting it or this is disingenuous, and neither option is comforting.

And trying to be charitable as possible here, it’s very easy to take your clinical recounting as being cavalier in its precision. I don’t think we’re all necessarily far enough from the situation yet that you should treat it as the distant past when discussing it. You still have my data, at least for the moment, and it’s still an ongoing concern.


How about the dark patterns you employed on the opt-out?


Sadly, those patterns are just industry standard UX at this point.


No, they really aren't. Some of the reported patterns probably aren't even legal in large parts of the world today.

Not that it would matter if they were. Other people doing nasty things is no excuse for doing them yourself as well.


The hell they are.


Are you the only person working there? Did no one else say anything about this? It seems impossible given the huge backlash that absolutely no one at Triplebyte stood up and said "this is a mistake".


One question that wasn’t addressed in the response: if the CEO did not realize that implementing the feature would be bad for users, then why did the company announce the feature as an email footnote at 5PM Friday before a holiday weekend, which is when bad news typically drops?


The Friday announcement was a result of us pushing to get the profile toggle feature out that the email linked to, and shipping late. Not something I'm proud of (either from an eng management perspective, or, more importantly, from a not violating the trust of our users perspective). It was a rushed schedule. In hindsight I see that the timing of the Friday announcement is ALSO a problem.


Just curious, did you have any engineers/product owners telling you that you should probably not do this feature, especially not push so hard (doing stuff late on Friday that can easily wait for Monday, etc...) to get it out?


The tree of possible causes here looks really bad. Either no one spoke up, or someone did. If no one spoke up because no one knew this would be a problem, it means the team is completely unqualified. If no one spoke up but they did know this would be a problem, then it means people are afraid to speak out (my money is on this one). If people did speak out, then the right people with the right concerns aren't getting listened to.


This, I'm very curious to know. Did anybody speak up about it? That's what product discussion meetings are for, right?


I think it's very telling that Ammon never replied to this. I'm guessing it's because engineers did push back, and he overruled them.


Yeah, we don’t even do any kind of code deploy on Friday after 10am. Not even bug fixes unless they are for site reliability.


It's one thing to do regular code deploys and there is no harm in doing it on fridays, if the code happens to be ready. If something goes bad, you rollback, which hopefully is automatic.

But, pushing features out the door is different than just deploying, so seems this is what happened. Then it doesn't matter what day you release your unfinished feature, it's gonna cause bad times.


Yeah, those guys got laid off early on the COVID-19 cost reductions as being 'troublemakers'.


Hi Ammon,

1. There is an opportunity.

2. You did lose a lot of trust.

3. You didn't have enough trust in the first place to really take advantage of this opportunity.

I would encourage you to think about how you can earn that trust. This comes back to transparency and checks-and-balances. If you want to go that route, you will need to build hard constraints: legal and technological constraints which would have prevented this in the first place which you can't later remove.

This shouldn't have been down the bad judgement by the CEO. I don't know you, but even if I did, the Board can toss you ought next month, and the next CEO might have worse judgement.

Baseline: Right now, your privacy policy is not bad. However, you can change it anytime. You can eliminate it in the case of sale. Etc. You're paying a lot in trust right now for abstract flexibility down-the-line. I would not give you a model of what I know with that privacy policy, and to get to your vision, you'd need my data.

Good: Think through how organizations engineer legal constraint (GPL, AGPL, CC-BY-SA, etc.) to build community and trust. Engage folks like Eben Moglen and Larry Lessig, and come up with robust ways where Triplebyte can be trusted to manage user data, without needing to trust the Triplebyte management team.

Your team has a fiduciary duty to maximize shareholder value. Down the line, you might become Google (which has a trillion dollars to lose if it breaks trust) or you might become Yahoo (which is now mining personal emails in really evil ways, since that's the most effective way to scrape out the last little bits of profit). I want to know that if you go the route of Yahoo, or other companies I trusted with my data which went south, you won't be able to weasel out.

You should figure problems like:

* What happens if you do have a problem? If my data leaks, will you be liable, or do I bear that cost? If you are, that sets up incentives for you to have proper security. Consider it a cost of business (you can get insurance too).

* How can I verify what happened to my data, as you send it off to partners and "trusted" affiliates?

* How do I know my data was properly de-identified (I don't believe this at all, at this point).

If you can build something really robust, it will go a long ways to making you into a Google, by ensuring you won't turn into a Yahoo. It's a trillion-dollar opportunity.


We are thinking about how we can make a stronger (and specific) privacy guarantee so it's not just a matter of our future intentions. I had a long conversation with my co-founder about this yesterday. We did not get anything together in time to include it in this email. But we're planning to.


This is good to hear. I have spent a lot of time looking at this topic, and for me there's 3 things worth exploring.

1. Versioning of user consent.

A lot of services have been designed around the idea that once a user consents to the terms, they consent to any alternations you make in the future. This is legally very questionable, at least in many countries. Some services manage to keep track of the version of the agreement a user has approved, but then force agreement with any updated version. But in reality there's no need for this - users should be able to granularly consent (and withdraw consent) to different things, as and when it's desired.

In any case given the way this is interpreted in GDPR, and the direction of travel in California and other states, having granular consent seems to be a sensible short term investment to save a lot of pain down the line.

2. Handling data at a sale, acquisition or liquidation.

This one is more tricky, and I believe a Stripe co-founder mentioned this recently on HN as something to look into. Lots of companies see their database as an asset to sell. There's an interesting history of companies like RadioShack, ToysRUs, and others going through this issue and ending up in court over it...

3. Aligning your goals with your users.

It might be a bit idealistic, but it always seems to me that privacy works best when everyone's interests are aligned. I'm not sure how this fits for your situation, but it strikes me users wanting visibility get visibility, and if they get a job you'll benefit, as do they. That seems nicely aligned. And for people who want to be incognito, they remain incognito, but they know you're there. It's probably counter to lots of the "startup playbook", but even these incognito users are likely still valuable, maybe even net promoters, just not currently looking to be seen. So it seems your goals align nicely with users', and there need not be any hyper growth "dark patterns".


That would be terrific!

I would encourage you to not go it alone.

1) There are people who have been thinking about this problem long and hard for a long time. Most are pretty accessible, and would be excited to see something strong here. There's a big pool of knowledge to build on.

2) You don't need to have something finished or polished to start to engage with either those people or with the community. You can toss out an early draft and solicit feedback if you're on the right track (rather than tossing out a fait accompli). You can even just solicit ideas.


I'm late to the party, and haven't done an extensive search to see if anyone has suggested this, so I'll offer my opinion anyway.

If you want to build a LinkedIn competitor it should be a completely different product to what you offer now with private employer<->employee hookups.

The two services should be physically separate in every sense, so there's no possibility of someone flipping a bit and accidentally making public someones private job search intentions.


> Your team has a fiduciary duty to maximize shareholder value

That’s actually not true.

Also, your comment comes off as needlessly offensive:

> 3. You didn't have enough trust in the first place to really take advantage of this opportunity.

> I would encourage you to think about how you can earn that trust

You’re attacking him when he’s come back, owned up, and apologized for the mistake.


I apologize if they come off as offensive. That was not the intent. I wasn't trying to attack him -- it's not personal. I'm criticizing a system he has in place, which this incident highlighted.

I'm also suggesting an alternative which I /think/ would have more privacy and more business value. I'm not an insider, so I could be wrong about either of those, but that's the point of a conversation. This way, he knows what would work for me, as a potential user. He can take it and run with it, take it as a problem statement and run with a different solution, or take me as 0.0001% of the market and ignore it. In his shoes, I've done all three at different times.


> > Your team has a fiduciary duty to maximize shareholder value

> That’s actually not true.

@woofie11, you should internalise this.

What the board has a duty to do is enact the desires of shareholders as they have made those desires clear. If the shareholders want to sacrifice profitability for some other goal, that's fine, normal, expected, and ordinary.

There is no fiduciary duty to maximise shareholder value.

Obviously negligence, fraud, and other possibly criminal or immoral behaviour that reduces or ruins shareholder value can certainly be a problem, but that's a separate issue.


This is all spot on. Super good comment, with the exception of the 'shareholder value maximization', that bit is bull and you should stop repeating it.


Genuine question - I'm curious why you consider the "shareholder value" part to be bull? Thanks.


https://www.lawschool.cornell.edu/academics/clarke_business_...


Extract from guidelines:

Please don't comment about the voting on comments. It never does any good, and it makes boring reading.

Please don't post comments saying that HN is turning into Reddit. It's a semi-noob illusion, as old as the hills.


Removed.


> The Friday announcement was a result of us pushing to get the profile toggle feature out that the email linked to

The absolute most important part of the feature was a last-minute addition?


It sounds like the overall feature was delayed because the eng work for the profile toggle landed late.


Your reputation is shot.


I have used TripleByte as a candidate and company and it’s an awesome product. If we keep getting great hires, I could care less what you make public. Thanks for your hard work.


Unfortunately the most vocal people are the only ones you’re hearing. I got the email and didn’t really care. My angel.co and LinkedIn are already public, why not Triplebyte too, especially if it raises my market value.

Haters gonna hate and I wouldn’t take it too seriously.


> My angel.co and LinkedIn are already public, why not Triplebyte too

Because you opted in to creating those profiles and the information they contain, and made them public. You opted in.


It was wrong not to make it opt in but not deserving of the level of hate they’re getting for the decision. The big tech companies do things every day that are much more damaging to your privacy and they don’t send you an email telling you. LinkedIn’s spam marketing in the early days was downright scandalous.

I’ve always found Triplebyte open and insightful and their response shows they’re receptive to feedback, which is a rare thing these days. People should be respecting that instead of crucifying one of the only companies that actually listens to them. No company is perfect all the time.


I think we're going to have to agree to disagree on this one then, as I firmly believe they are deserving of the negativity.

The CEO's whole attitude towards privacy shows how they treat privacy, and no, I'm not going to "respect" that.


Sounds like you've been privileged to work for companies that are OK with you looking around.

The analogy with dating services that people were bringing up earlier was a good one. Sure, some people are in open relationships, which is fine, but if Tinder were to assume that everybody was OK with having that aspect of their personal life exposed in public, it would be a massive problem.


> I’ve always found Triplebyte open and insightful

Even in the midst of a shitstorm where the CEO/Founder is publicly admitting to a complete lack of insight?


If company is upfront and listens, any feature they will release or change will be done considering the privacy and security. You give your customer power and not take it away from them. You chose what you do about your data and no one else can make that decision on behalf of you


Just because people are not being vocal does not mean they do not care about the situation. I haven't commented on the drama from this situation but I also got the email from them and my immediate reaction was "huh, thats kinda shitty." and proceeded to hide my profiles. A lot of people feel that only people who are displeased voice their opinion and people who are satisfied stay quiet but I would be wary about that line of thought. While the angriest voices are the loudest there are definitely a good number of people who aren't happy but don't feel the need to jump into every argument


Are you sure about this? I didn't comment on the previous story. I didn't tweet about this. I didn't email TripleByte. I just silently purged my account of meaningful data and opted out.

I'm only commenting now to cancel out your anecdote.

(And FWIW, I would have done nothing had it been opt-in. I would have been happy to leave my information private and strategically take it public when it suited me. The email, and Ammon's behavior in the original thread gave me little confidence that was an option, so I nuked my data.)


Actually, he's getting loud voices from people that are:

1) really pissed off about it

AND

2) compassionate enough to tell him why

The easier course of action, which I chose, was to quietly say "fuck you" and delete my profile. Ammon is getting a lot of valuable feedback right now. Yes, hatemail is valuable feedback. Because for every hatemail you get, there are ten users like me that will just bounce without a peep.


Given that he replied elsewhere in the thread that 2000 accounts went through the deletion process since the announcement, there are actual numbers supporting the idea that it isn’t just a vocal minority. Keep in mind, this is deletions, not opt-outs. The deletion process, as mentioned many times in the previous thread, takes significant lift on the user’s part.


This speaks for an opt-in and not an opt-out.


And why was the CEO on HN arguing for the feature, implying people complaining were the ones with the problem?

I don't buy it, and I'll be steering clear.


My head was still in the place it was when we were developing the feature. I thought it was a communication problem (if I could only communicate how this feature could help a lot of people everyone would understand). Perhaps I'm just slow. But it took some time and repetition for the magnitude of my error to sink in and me to really hear what people were saying.


If you don't already have one, have you considered having a collection of users who you can privately ask about potential features (or run email wording by) to figure out how it would go over? A user of the product could easily have told you, in advance, "some people are looking for a job secretly and this would be a problem".

You could also come up with incentives to encourage job seekers to opt in; for instance, you could temporarily tag such users as "likely to get hired sooner" in reports for prospective employers.


> you could temporarily tag such users as "likely to get hired sooner"

Lets start lying to the customers on top of this fiasco.


I really like this idea. I'll talk to my head of product about it.


Now I am curious what the conversations so far have been about if opt-in was never discussed? Are you looking for product managers?


I'm actually surprised that I didn't see this posted in the TripleByte Alum Slack for feedback prior to announcement or even announced there at all. It was the first place I checked after seeing the email/post on HN.


I woulda thought they have enough engineers in the company that the engineers would have raised a red flag...


Studies actually show that subordinates generally do not raise concern to their superiors about issues for either fear of reprimand or thinking the superior knows more than you.

If @ammon had said, “this will be a great feature,” the devs would keep quiet because they either (1) don’t want to be fired, or (2) trust he knows better than them.


That's part of why you should 1) ask before starting development, and 2) ask for feedback rather than telling people what to think.


This is why you don't release on a Friday.

Best case scenario you spend the whole weekend focused on whether the release went right...

Worse you spend the whole weekend cleaning a mess up.

Its pretty much always a lose/ lose.


If you can't reliably release on a Friday, your delivery process is broken. Should you send customers an unsettling policy change, late on a Friday, nah, still a hard NO.


I didn't say don't have a release process good enough to release be able on Friday (obviously you want this for emergencies).

I said don't release on Friday.

No ones release process is perfect and the best time to find holes in it is when you are just ready to have the week be over so you can happy hour on a Friday.

In this case at least part of the release process that was broken was how it was communicated to users. Now they have to spend the whole weekend putting out this fire.

Why take the chance in a non emergency situation? Enjoy your weekend and do it with a fresh mind Monday morning.


Good answer. Actually first good answer I remember seeing from any of you so far.

I still wonder why you tried the infamous "I'm sorry that you cannot understand" line here?


I don't know... it's not a great response from a company, but sometimes it's genuinely the case that disagreement comes from a lack of understanding. An impulse to try and explain more clearly is relatable.


You do realise that if you have any European users you have majorly contravened GDPR regulations and data protection rules.

I'm talking 20 million euros in fines


You do realize that the feature never actually launched, so no data was “public” (quotes because it’s already public to recruiters who use TB).


> I'm talking 20 million euros in fines

Unfortunately, the real fines are nowhere near the theoretically possible ones.

This is egregious enough that it could have actually resulted in a fine as opposed to a "please don't do that", but realistically, I doubt the fine would get near 100k.


Triplebyte is not for EU users. You're forgetting that Triplebyte is an American company, they're not subject to European nanny laws.


Any European citizen is covered by GDPR no matter where they are located.


I’m curious how that’ll work in practice. The sovereignty of a nation is a big thing. The US isn’t going to just prosecute TripleByte because Europe said they should. Sure, if @ammon visits the EU, he could be arrested, but a nation’s laws (generally) don’t extend past their border.


It’s a total pipe dream. I don’t know what fantasy land people are living in where they think the EU is going to successfully collect a dollar in fines from some random small company elsewhere in the world, no matter how messed up their privacy practices are.


First of all, this isn’t popular with the EU crowd here, but there’s no method of enforcement for GDPR for American companies without a presence in Europe. Good luck trying to collect a fine from some tiny business in the US

Second, you really think GDPR is going to be applied to some tiny American startup because they said they might do something and then didn’t?

Third, my understanding is that if you don’t target EU customers, GDPR doesn’t apply. It’s not enough that an EU customer happens to wander into your store. You have to have some accommodation targeting the EU (like translated pages, international shipping, different currencies, etc)


Here’s the text from the European Commission:

When the regulation does not apply

Your company is service provider based outside the EU. It provides services to customers outside the EU. Its clients can use its services when they travel to other countries, including within the EU. Provided your company doesn't specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.

Source: https://ec.europa.eu/info/law/law-topic/data-protection/refo...


Eh, likely some of the people who have gone through Triplebyte are now in Europe, subjecting its use of their data to GDPR law.


> if I could only communicate how this feature could help a lot of people everyone would understand

I don't mean to flog a dead horse, but you seem to be intent on digging a deeper and deeper hole.

It's not for you or anyone else to make someone's data public without their consent, because you think it helps them.

> and me to really hear what people were saying

Nobody should need to tell you any of this. If it truely did, then you clearly don't care a jot about privacy, and simply aren't responsible enough to manage other people's data.

A companies ethos and values cascade down from the top, so your attitude towards privacy is especially concerning.


I think you've missed the point ... that parenthetical comment is what was previously in his mind, he's sharing with us why he was, at that time, still pushing and defending.

I don't see this in any way as still digging the hole.

As for the rest of your comment, you seem purely to be repeating what he says he now knows. Although others have, I haven't downvoted you, but it feels like you're still being angry about what the situation was, and not trying to adapt to what this situation is.

I agree that there are still legitimate causes for concern, but it's worth taking time to think about what they really are.


Yes, I'm repeating what he already claims to know, because my point is he should already have known it. I am casting doubt on his sincerity, given this feature, his arguments on HN the other day, and what he's said now.

I'm not still angry about what the situation was - I believe the only reason this feature was rolled back is because there was a big backlash. I really believe his whole attitude towards other people's data means he isn't responsible enough to store it.

It's exactly irresponsible moves like this that led to the GDPR in the first place (something else contravened by this feature)


I can certainly understand that when you're excited about rolling out a new feature and you encounter some pushback your gut reaction might be to "sell" people on it or try to explain it better rather than listen. The important thing is that he did eventually listen.

I think it's also important to distinguish the idea from the execution. A LinkedIn alternative for developers is a great idea. The problem was the incredibly short opt-out (instead of opt-in) with notice given to users on Friday afternoon of a long holiday weekend.


I totally understand being excited about a new feature, but I don't understand the lax attitude towards privacy, especially not nowadays.

I somewhat agree, in that the important thing for now is that he did eventually relent. But I'm not convinced he actually listened, so much as relented under pressure. I don't think those values bode well for the company going forward. I certainly hope I'm proved wrong on that.


I'm all too surprised when people fall into ambiguity holes and give the benefit of doubt over these situations presuming there's some underlying candid motive or attribute ignorance (Hanlon's razor referenced far too often).

A business saw an opportunity to make more money and took it. A large portion of consumer interests no longer aligned with their interests and we were caught in the crossfire. Fortunately, enough people shared the same concern that the risk for the business (Triplebtye) was now high enough that they had to mitigate fallout.

That's all that happened and all that typically happens. Perhaps Triplebyte management didn't see the risk or misjudged the backlash and expected only a few users to complain. I find it hard to believe this side effect wasn't at least a considered risk brought to to table and ultimately ignored by management looking purely at growth.

Yes, sometimes a shift in a business's goals cease to align with our interests and isn't necessarily meant to be malignant move against us directly, but there is certainly no concern for us in the process unless it is ultimately perceived as more net profitable.

This is why we should be quite careful as to what we allow business ownership over/access to and remember that profit seeking cost optimizations are only useful to us while they're aligned with our interests. Whatever behaviors we allow businesses to pursue without enough repercussion to care, they will pursue seeking profit: a proverbial "cost of doing business."

When a business's profit seeking interests are misaligned with ours or run counter opposite to our interests, we're in for a fight against a resource heavy entity we're likely lose, especially when certain behaviors are allowed to normalize across entire industries and accepted by culture in large segments.


The West Wing (tv show) even had an episode around it “Take our the trash day”[0].

[0] https://www.imdb.com/title/tt0745682/


The classic "gonna sneak this in here...hope you don't notice" time slot.


I was one of the most vocal critics in the original thread, justifiably. I lost a little sleep over how it could potentially affect me at my current job.

I feel bad for the company because I think the original decision meant the would lose a lot of trust in the community for what is otherwise a great service. Indeed, I had a wonderful experience interviewing with startups after having passed the TB interview process. However I also feel bad because I feel like it may indicate that the company is perhaps doing poorly financially.

However, I will say that I am very happy with this apology. It's direct, takes responsibility, and gives clear action on what they're going to do. Classic good apology. I am happy with it and it goes a long way to earning my trust back. Thanks, Ammon.


This is a very good apology.

Yes, it is possible that this is merely the perfunctory apology TripleByte's users were undoubtedly due. It is possible it is entirely inauthentic, a mere artifice for damage control from a reputationally maimed business.

But it is also possible that, like all people, the CEO seriously screwed up. There were some bad premises, some bad motives, some bad confirmation bias at play here.

That being said, we ought not to judge people by who they were, but who they are capable of being. Is Ammon capable of rehabilitating?

I think the HN community should rightly accept this apology with great skepticism. They should scrutinize TripleByte's every move. They should wonder: has he rehabilitated? It will certainly take time.


I'm not sure it matters. TripleByte is asking for super-sensitive information. 10 years down the line, Ammon won't be CEO anymore.

No matter how much of a jerk Ammon is, I'm willing to trust-and-verify, so long as they get the and-verify part right.

No matter how great a guy Ammon is, I'm not willing to trust without the and-verify part. He might get fired tomorrow, and Steve Ballmer or Carly Fiorina might get brought in. It might go under, and get sold to Oath. There's a ton of possibilities.

He sounds honest enough in his apology, and on a personal level, I'm all for redemption and rehabilitation. It was also a one-time mistake. But I'm not dealing with a person. I'm dealing with an organization.

Zero of the organizations who got my data in the nineties are the same organizations today.


I’m confused: it sounds like you think giving them any data was a mistake before they made this product decision? After all, whatever reputation they had back then to safeguard your data also wouldn’t mean anything to Ballmer or Fiorina, right?

So if it was a bad idea before and it’s a bad idea now, has this whole episode even changed anything for you?


The apology definitely sounds honest, but why are we putting all our data in one place and then trusting someone to make the "right decisions" regarding it?

I believe society should stop centralizing its data, votes, money, etc. in the hands of a few. This decade we can work to change that.

No matter how great a guy Ammon is, I'm not willing to trust without the and-verify part. He might get fired tomorrow, and Steve Ballmer or Carly Fiorina might get brought in. It might go under, and get sold to Oath. There's a ton of possibilities.

Exactly. But when I say this, people often respond to me "no, this is the perfect example of a company that should be centralized" followed by justifications and downvotes. Decentralization is still as uncomfortable as the civil rights movement in the 50s, for many people.


I like decentralized in some places, and centralized in others. I think decentralized can and should replace Facebook, LinkedIn, blogs, and similar.

On the other hand, there are a lot of places where centralized, with proper checks-and-balances, allows for a larger degree of scientific research and transparency. Medical and education come to mind.


How about this dichotomy:

1. Infrastructure should be more decentralized and let nameless providers compete

2. Information should be available to everyone and let nameless authors collaborate

1 produces a market of prices and competition, while 2 produces a collaborative edifice of knowledge and well architected software.


I'd actually like infrastructure to be at home. When I was in college, my "infrastructure" consisted of a PC running Linux in my dorm room, a good bit slower than a Raspberry Pi. It was fine for managing my documents, email, etc.

I'd like information to either be under my control, or managed as a public good by a non-profit or government agency with appropriate checks-and-balances and transparency.


That’s great

A hosting company can be local Or you could host your files on your computer. If you host a social network where others also contribute content then you ARE the local hosting company and now you’re responsible for their data

That should all be a choice.


Back in the early '00s, I designed a social network architecture which was fully decentralized. The only people whose information I'd have would be my friends', and vice-versa. I never built it, mind you, it was all a thought experiment. But I still think that sort of thing ought to be how it works.


> It is possible it is entirely inauthentic, a mere artifice for damage control from a reputationally maimed business.

I honestly don't think that matters in the slightest. One of two things happened.

1. deletion requests spiked like you wouldn't believe

2. the board caught wind of the bad feedback and forced this response.

#2 i don't believe for a second. it beggars belief that the board is following day-to-day activity and further, at the start of a holiday weekend? no. way.

not independently anyway.

#1 must have happened, ammon asked for advice from the board and other close allies, who wordsmithed this reply. there is 100% no way that this email came from the same hamfisted person that deployed this change in this particular way with this particular timing.

So why doesn't it matter? Because the action is taken, quickly, and the lesson learned. For observers this is also a great lesson - in damage control.

The problem as I see it is that this has to get buried, quickly. The damage is done. TB was obviously already on the ropes, leading to this poor decision in the first place. I've never used TB, but what I hear about it is more bad than good. Good luck to them.


> 2. the board caught wind of the bad feedback and forced this response.

> #2 i don't believe for a second. it beggars belief that the board is following day-to-day activity and further, at the start of a holiday weekend? no. way.

I don't think it's so implausible. Remember that Triplebyte is a YCombinator company (so someone from YC probably sits on the board), and the uproar about its actions occurred on HN, YCombinator's site. I wouldn't be surprised someone who read this on HN was either (1) a partner or employee of YCombinator or (2) knew someone at YCombinator and alerted them.


First off, I want to say that as a past Triplebyte user who was concerned about my privacy after hearing the original news, I appreciate your decision to cancel the feature, and I appreciate your apology.

In the end, I don't think this was an enormous mistake as there was no harm done to your customers.

Still, you can't erase the information you've indirectly put into the world about yourself and your company. Your near-actions have shed a bit of light on your priorities, and customer privacy was apparently not at the forefront of that list. The unfortunate truth is that this begs the question of whether other decisions have or will be made which similarly disregard customer privacy.

I'm very glad that you realized the err of your ways in this instance, and I hope you continue to demonstrate your dedication to protecting your users' privacy in the time to come.


I just deleted my account. I was unaware that I even had one. I clicked on a little puzzle that popped in my FB feed back when I was still using.(FB)

This quiz was super easy, and I got pulled into doing an interview, just for fun, and a programming test in a language I had not used in 5 years. I did not do too well, but I did not care, it was for fun!

Well I did not expect that bad score to be recorded and become public!

This economy built around private/public information quiproquo has to be reigned in. I feel for the founder. But I still think there's something going on we need to stop before we get to the Stasi.


Did you need to submit a government ID and all that?


I googled delete triplebyte account, I had to reset a password I did not know I had, then a few clicks, no dark patterns, really. It did take a few hours but I just got an email saying the account delete process is complete. Not sure how deleted it is, but hey I guess it's like everything that finds it's way on the internets... It's as deleted as enforceable.

Let's keep hacking a free internet, for fun, emancipation and progress. (all endeavours that can be for profit) Cheers


Yeah, no. I already deleted my account and I'm not going back. I realise the type of candidate they cater towards would find jobs at companies I wouldn't really want to work at anyway. I'm ashamed that younger me fell for this in the first place.


URL to delete your profile, if anyone is thinking to do the same: https://triplebyte.com/privacy-center


I'm curious what type of company you're looking for that you'd expect to be underrepresented.


Basing your worth around a quiz only further enables whiteboard and leetcode style interviews. I've never seen why these interviews are useful or an indicator of anything beyond someone's ability to sit at home for hours on end doing the same things over and over. A company I would want to work for would be doing something for sustainability/climate change or another social good and would focus more on behaviour and critical thinking skills.


> sustainability/climate change or another social good

Ah, yeah, if you get too narrow in your targeting, it probably makes more sense to focus on networking than any sort of recruiter.

That said, I saw quite a range when I went through Triplebyte a bit more than a year ago.

I wound up at a company making 3D printers, which has (temporarily) semi-pivoted to make lots and lots of (clinically validated) NP swabs for COVID testing. So social good can show up in a lot of places :)


I did the quiz, then a practice interview. Never did the real interview since I found a fantastic opportunity elsewhere. The interviewer was respectful of the fact that my niche isn't really what the interview was designed for (embedded systems, FPGA work, etc), and provided opportunities for me to display problem-solving skills. Of course, the quiz was purely technical, but it's hard to expect anything more from an automated quiz you can do in 30 minutes. As far as I can tell, the quiz only serves as a filter for basic competency, then the interview is an evaluation of the traits you describe.


What is the alternative you will use going forward? Another job site?


I'll continue to use LinkedIn purely as a way to message people working at companies I might be interested in. I find that Triplebyte only seemed to further enable the toxic interviewing practises you find at FAANG and FAANG aspiring companies.


I honestly believe that the public profile fiasco was caused by pressure from his investors/board.

VC money makes you do stupid things. Your next round of funding is your number one priority, customers are second. I've been there (raised $17M for my last startup).

I run a company[1] that is a competitor to Triplebyte. Yes, hiring has slowed, and we will miss all our sales targets this year by miles, but we will be just fine because we are bootstrapped and profitable. So we'll only double our revenue instead of triple. For a VC backed startup that could kill you. But we'll just hire a bit slower and have a huge party at the end of the year.

When you are venture backed, you watch your bank account balance decrease every week. Having a "burn rate" is awful. It messes with you.

With a bootstrapped company you watch your bank account balance increase every week. It's a great feeling.

So many venture backed startups are being really hurt by the current environment. I really hope that it makes more people reconsider raising money.

1: www.facetdev.com


One of the first things they could do is stop with the dark patterns. The original thread had many people mentioning that deleting an account was a ridiculous process, with a 30-day delay once you managed to start it.


To be precise this the email they send you when you request them to delete your account.

"We're processing your request and should be done within 30 days.

We will verify your request using the information associated with your account. Government identification may be required and we may ask you for more information in order to verify your identify.

Any questions? Email us at privacy@triplebyte.com"

They didn't need "government identification" when I signed up for it. Never going back to this site again.


Yikes! Was this today? We pushed a fix for this yesterday, but if it's not fixed I need to look into it.


@ammon, I don't know you, but definitely want to give you a hug about damage control.

You built a company that's obviously valuable and lots of people rely on. Now you have a lot of responsibility. You're going through the "trough of sorrow" with respect to a new feature.

This is what inevitably happens when lots of people come to rely on you. The one thing I'd like to say, which may sounds strange at first, is think about why you really need each piece of data.

https://www.theguardian.com/technology/2019/jan/20/shoshana-...

There is now a growing movement including GDPR and California's privacy laws. You can see how duckduckgo is able to make money by advertising around keywords rather than personal data, etc.

You can help lead this movement, by allowing job candidates to have most of the data encrypted, and only reveal it to companies on a need-to-know basis. Push the point where they reveal it further back, and you'll have less friction for new signups. Every time people are asked for data, they'll already have a good reason: someone wants it. To be clear, that includes the candidate's Name, Age, Gender, and other private info.


How did this happen in the first place?


Yes. Can confirm this is the case as of 5 mins ago.


OK, I just spoke to my co-founder. The functionally was changed yesterday, but the copy was not updated on the confirmation email. The copy will be updated in a few minutes.


Thank you for being on top of this.


This is bad. Calling our eng team now. We'll have a fix out ASAP.


Yeah... we made this better yesterday (removed the delay and the request for ID). It was totally a dark pattern. We built the initial deletion process right after GDPR passed. We were thinking about it mostly from a legal perspective then, and had not reviewed it since.


But this makes no sense. Why would you legally need someone's ID to delete their account, but not to create it?


GDPR devalued PII-stores, and companies tried really hard to only let the value drop on the European portion of their data. Requiring ID is a way to discourage and even deny deletion requests in other countries.

These constraints are walked back almost immediately in practice, once companies learn that requiring a human touch for a deletion flow is not worth the hassle.

I think "legal" here meant what's the bare minimum to respect the letter of GDPR law, while not actually implementing a useful delete flow.


Thanks for recognizing it. I think it'd be encouraging to see a post mortem detailing the positive changes that came out of this whole ordeal, the sort of user hostile behaviors that you (as a company) recognized from this self reflection, their origins and corrections.


> Yeah... we made this better yesterday (removed the delay and the request for ID). It was totally a dark pattern. We built the initial deletion process right after GDPR passed. We were thinking about it mostly from a legal perspective then, and had not reviewed it since.

Appreciate the honesty here by admitting that account deletion relies on dark patterns, but it brings up two salient questions regarding how you approach product development.

1. Internally, do you at least have the equivalent of a “directly responsible individual" (DRI) for the product? It seems no one spoke up in the interests of users against legal’s overzealous decision to tack on lots of friction to the account deletion process?

2. It seems you could have also garnered some push back on the feature from your alumni Slack [0] but didn’t, perhaps due to the rush to ship quickly?

In addition to the changes you’ve pledged as part of rebuilding user trust, hopefully, you & your team will reassess your product development practices to add these checks so that such mistakes are not repeated in future.

[0] @hysan mentions that TB maintains an alumni Slack upthread: https://news.ycombinator.com/item?id=23304199


to be fair it is “up to” 30 days. mine went through in a day. YMMV


I wholeheartedly agree. I can not reconcile this apology with the blatant use of dark patterns they employed when trying to roll out this product.


> I failed to see the significance of “default public” in my head.

Hmm? This just raises more questions about Triplebyte's product development process than answers, especially since privacy is a core product feature.


I am still trying, and achieving, to give them the benefit of the doubt. They understood and took it back.

But I am scratching my head how they could honestly miss the importance of what they were planning to do.. I guess a combination of stress, pressure and usual disregard of privacy by big players clouded their judgement.


They didn’t miss anything, they just weren’t able to get away with it.


They could get away with but just charging forward despite the backlash.

To me, that puts them at least in the middle

Malicious

Meh<---

Respectful


Amoral if I had to suggest a word, but business and amoral is basically redundant.


I read their answers in the discussion here and it felt a lot like:

I'm sorry that you...

That might have been another bad day at work but whatever it was it really doesn't inspire confidence


Yeah it’s hard to reconcile that discussion and this apology. That is unless they were hemorrhaging users after that email hit and reversed course because of that. I like the idea of triplebyte but I’m a bit hesitant now. Perhaps this is the blindness that people in privileged positions in life can’t see... similar to the real name policy on google that caused a problem for the people that didn’t want their identities tied to it. Gay people that weren’t out of the closet yet or gay people in countries with laws against that or people escaping abusive exes/stalkers etc.

Hopefully this reflection is sincere.


> Perhaps this is the blindness that people in privileged positions in life can’t see...

Yep, and that privilege may take many forms.

- Secure, well paid job.

- Friends in high places.

- Correct opinions for your area.

etc


Going to show my age here, but I find that younger generations are much less concerned about privacy in the sake of self-promotion via social media. By definition, keeping user's data private when developing a sharing platform is prohibitive of gaining traction. Gathering users data for a non-sharing site, and then pivoting to a sharing platform without user's consent to use the existing data is absolutely 100% without a doubt wrong (should be criminal).


Completely agree - it demonstrates quite succinctly how seriously they take privacy. Doubly do when the CEO was on HN the other day arguing with those complaining about it!


Exactly what I was thinking. Either they’re just not ready for this Brave New World, or they did think about the issues and did it anyway.

I’m just tickled pink that privacy is becoming a feature people care about.


I bet _most_ of their users aren't reading HN regularly and probably just skimmed past the email (I did). HN provided a nice little teapot for this tempest to play out in, from a larger strategic picture. As mad as it probably made them when that first user put the comment up the other day, that may have just saved their business from complete annihilation. If I were Ammon, I would find that person and send them some kind of nice gift.


Perhaps more distressing to me, I got these emails but I _know_ I never actually signed up to the site: I just took the little quiz. I _know_ I didn't sign up because I recall being irritated that I had to sign up to see the results of the quiz - and I was afraid of something happening _just like this_. I was watching this because I was fairly certain - based on whatever they published about me - that I was going to take some kind of legal action. So in a way, this person saved them from _me_.


Currently located in the EU and contacted my lawyer. Told them as such. I think they realised they fucked up from a legal standpoint more than anything else.


This is an excellent example of effective apology!

1. Accept responsibility

2. Acknowledge the harm done

3. Describe your understanding of how the mistake was made

4. Describe your understanding of the wronged party's expectations and their significance

5. Close with an unreserved expression of sincere regret

6. Listen

One person can't accept full responsibility, however. Effective leadership requires accountability, and the only way Triplebyte is going to recover their user's trust is to overhaul that accountability in the open. I suspect the company's future will depend on whether the members of leadership and ownership who certainly put pressure behind this response can adopt the message and back it up with structural commitment and transparency.


What a crock of $#(& the backtrack is.

The answer is they are so incompetent they did not realize that publicly exposing job seekers could threaten their employment... an company who's soul vertical is to deal with employment... Is triple-byte that incompetent I honestly doubt it.

No what happened was what all companies that get to greedy do, try to expand to fast and do dirty tricks like email a marketing email on a Friday before a holiday weekend in hope most people wont notice it to get a good "kick off" for your profiles. Got to have big numbers for the board/VC's right? At the cost of those who trusted you with their data and private job search.

No the only incompetence here was they did not account for HN and other engineering communities spreading the word and need to backtrack to not have it hurt their core business. Anyone would be a fool to trust Triplebyte again.


Why not just make it opt-in?

Lots of people would have done it right away and others would do it as they started to want new opportunities and/or got laid off.

Candidates who didn’t opt in probably wouldn’t be open to being contacted out of the blue anyway in a public manner.

They burned a lot of goodwill for nothing.


I suspect that this comes from tunnel vision and not interacting with enough casual users. Hypothetically, if the feedback they're seeing is that people desperately want jobs and will do whatever it takes, they may only be exposed to a subset that would have no qualms with making the info public. Especially if that subset is already out of work.

I can imagine, in that scenario, not thinking about all the devs who signed up over the years and are no longer searching, or are searching but doing so quietly.


Agreed. I could imagine how many of the most active users of their platform would be excited for any feature that improved their prospect of landing a job. Combined with the team's excitement for taking on LinkedIn and expanding their company, I could see how they'd fall into this tunnel vision.

Initially I was quite unhappy with how their CEO blindly defended the decision on the earlier HN thread, but I gotta give him credit for changing his mind and drafting this earnest apology. Everyone is human and its easy to get caught up in your own bubble, especially when you've been excitedly executing on a vision with a team that also lives in that bubble.

Still don't think I'll ever use their platform as either a member of a hiring team or as a job seeker. But at least this followup lessens my negative connotation for Triplebyte that developed over the previous few days.


Yeah... that's a much better idea. I can tell you what was going through my head on Friday (I'm not at all trying to defend this now). Basically, it was that for a credential to carry weight with recruiters, it needs scale. There's a bootstrapping problem. But that's not an excuse for violating people's privacy. Opt-in would have been a far better idea.


In the future it’s worth noting that it’s a terrible idea to take something away from someone when you promised them something else. This is privacy in this case. On others it’s offering something for free and then charging for it.

Even if you wanted to make this an opt out feature the only sensible way to go about it is grandfathering in the old accounts into an opt in feature. Just like many companies grandfather in free customers while they charge new ones.

This is the foundation of trust.


> take something away

Quite true. T-Mobile is now forever to me the weasels that silently broke free Google Visual Voicemail in order to force me into their own, judging by the reviews quite crappy, paid app.


I've been through Triplebyte and am a fan of the mission. This was definitely a major screw-up, both for the opt-out and email dark patterns (I had skimmed the original email and assumed it was opt-in before I saw this thread), and for the subsequent doubling down in response to feedback. Glad you took some time to reflect and reverse course.

I do think the bootstrapping problem is unfortunate - hopefully you can hit critical mass via opt-in.


I'm not a user, but making the feature opt-in for existing users...and opt-out for new users would have seemed the make the most common sense.

And this might go against the grain, but if I had to give up a bit of privacy and get an edge against a peer for job that I need...I'd likely do it. But it seems like a lot of complaints were from still employed engineers and having their employers find out.


New features are almost never opt-in. It’s way more tempting to show a high user number in a status meeting than care about user privacy.


People need to be less naive, how many companies in the world care more about their users than their business ? none ?

Triplebyte reverting their decision is a business choice, they have probably estimated that their brand will be less impacted if they excuse themselves than if they continue. Everything is a business decision

Is it bad ? I don't think so, this is just business. We give our data to companies and they do whatever they want with it, because the legal system is not strong enough on that.


The apology is very nice, and I am glad that they are not pushing ahead with this feature. However, actions are what matter.

One thing that was brought up in the comments was that if you wanted to cancel your TripleByte account, you had to email the company. This is a dark pattern.

If TripleByte really wants to show they changed they need to immediately implement a “Delete my account” button that after requiring you to retype in your password for confirmation, immediately deletes your account. Immediately. No waiting period. No having to email anyone.

Implementing that feature in their next sprint would go a long ways toward showing that they are genuinely contrite.


And certainly not having to provide 'government issued ID' to the company for the privilege of having your account deleted, especially since none was required for account creation.


I've had the good fortune of knowing the TripleByte team personally. I'm not at all surprised to see this being handled in such a sincere and agreeable way.

Ammon is a sincere and truth-seeking individual. He's willing to be convinced that his opinion is wrong, a character trait we don't do enough to praise and which I've found to be exceedingly rare these days. Situations like this highlight exactly why I've trusted them with my data in the past and will continue to recommend TripleByte to friends in the future.


[flagged]


Unfair. I’ve worked with Ammon IRL at a different co, he’s one of the most genuine people in the valley. Did PR consult? Probably. Is it just spin? Definitely not.


That would be ok as a top-level comment (albeit not a very substantive one) but it breaks the site guidelines to post it to attack another user. Would you mind reviewing https://news.ycombinator.com/newsguidelines.html and sticking to the rules when commenting here? We'd be grateful.


Good on them to admit they were wrong and changing course. I wish there was less "oh, but they only did it because of the outrage" and "oh, they'll just sneak it back in later".

They messed up, they sought to rectify it. Good job.


I’m sure it wasn’t helped by the CEO coming in and defending the decision. But he’s taken the blame and apologized himself, and he’s here talking about what went wrong and what he was thinking. It’s not gonna convince everyone, but to me, that’s an apology.


I already changed all my data on my profile (including email), so I won’t be getting the apology email.

It’s not just failure of ,,effects’’. I’m an EU citizen and it was a clear intent of GDPR violation.


Wow, they had European users? They are fucked.

This is about a serious and willful GDPR contravention as you can get. I hope they have good lawyers because they are gonna be hauled over the coals by multiple countries' data commissioners.

Wow just wow.


well no, because they didn't actually release the feature, therefore no damage was actually done.


Presumably they have a lot of California users? Likely goes against CCPA as well.


If Triplebyte has no staff or assets in an EU jurisdiction, what could they do?


Setting up a country based IP filter is trivial if they don't want to serve EU and California.


They could filter traffic, but they might have some profiles for users who later moved to the EU.

But I'm asking whether GDPR authorities have any recourse to take against a US corporation that has not expanded into the EU.


https://gdpr.eu/companies-outside-of-europe/

If Triplebyte doesn't even do IP filtering for signups, they are servicing EU citizens. Actually I told them that I don't have US VISA, so the ,,local golf course we site'' case doesn't apply.


If anyone is looking to delete their account: https://triplebyte.com/privacy-center


Did this company decide to do this blindly or did they try canvasing a response from a target set of users about what they planned to do? Surely if they did canvas feedback for their plan then an overwhelming No would have prevented this unmitigated disaster.


We did user research, but not about the opt-out release, just about the features of the profile. This was part of the major screw-up.


Any chance of a post-mortem write up on how exactly things went wrong? Including some discussion on how data's going to be protected moving forward? Now that everyone knows this is a type of privacy violation that could occur, it's going to stay back of mind (a "why should we trust you with this sort of data now?" sort of deal). Potentially losing a job or having career plans stunted because a website added a new feature is a lot of power to trust a website with.


We're working on a post-mortem internally right now. The thing I want to do externally is make a more clear/binding commitment to user privacy. The idea is still a bit inchoate, but I want to do something that makes this not just about trusting us.


“I want to do something that makes this not just about trusting us.”.

Is that because deep down inside you know the public would be foolish to trust your company in its current form?


Well written apology but despite that I'd still be very concerned that a company entrusted with so much sensitive personal data can get this so wildly wrong and then also get the initial responses to the very predictable negative reaction so wrong.

Did nobody in the room speak up? Is this a culture problem too?

To have a chance at winning back trust these guys need to make deleting accounts instantly their next feature and make confidentiality the first priority in everything they do - and that means doing it not just marketing it.

They probably also need to hire someone to tell the CEO "No!" the next time if nobody else is prepared to. It seems likely there will be a next time if this one didn't set off alarm bells.


Nice apology, that's a lot better than in the original thread. Now there remains an awful lot of dark patterns around the whole cancellation process, as well as a bunch of others besides. If Triplebyte wants to clean this up for real then they should starting now be 100% clean and tackle that as well (and have a good review on the use of further dark patterns in other parts of the site). Otherwise it feels as if the only reason they changed course on this one thing is because it got too much attention, the real proof will be in how they run the company as whole rather than just this 'feature'+ retraction.

+insofar as involuntary sensitive data disclosure can ever be labelled a feature.


Didn't get the apology email which may mean that they actually deleted my account as asked with no further nonsense or asking for identification. Which is honestly good on them. With this reversal, in the future, if I'm looking for a job, I _may_ look at Triplebyte again, but I'm certainly not giving them any info before then. Good luck, Triplebyte.

Edit: Nevermind, I just got the email. Still no response to my request to delete my account.


Ammon says they’ve gotten 2k deletion requests since the announcement (https://news.ycombinator.com/item?id=23304097). They probably never automated the feature (why would they? before this they were probably getting a couple a week) so I imagine it may take a while for them to work through the queue.


Just makes you wonder what else is going on there from a product standpoint. How many similar "good ideas" have they launched? Selling data? Employers access to your profile?

Hiring is their business and such a complete misunderstanding of the system and subsequent tone deaf responses (up until today) really make you question the entire thing. Or their grasp of hiring in general. Even with the best intentions, does make you worry.


Just went through Triplebyte right as Ammon laid off my talent manager (strangely right before most COVID layoffs) and a lot of their staff. I wrote Ammon and he wrote back saying "layoffs are hard! blah blah blah." I previously had written Ammon about a Triplebyte-facilitated on-site where the company refused to offer me an accommodation due to an arm injury I had and one of the interviewers told me they move so fast that they couldn't hire somebody with such an injury (WTF? it's going to heal!). Ammon replied "hiring is hard!! blah blah blah" and now that company is a favorite of theirs-- the company even has their own channel on Triplebyte's slack community.

I then deleted my Triplebyte account, but they continue to spam me and try to get me to engage on their blogging spinoffs. I would never again trust Ammon with my personal information.

Triplebyte has built a pretty remarkable, data-driven evaluation system; the Talent Managers were also really helpful to me. But Ammon is really really over his head when it comes to managing people and balancing ethics with financial headwinds. The product deserves a much better leader.


What you need to do is to imagine you are designing a hammer, not a honey trap.

With a hammer, you are creating a tool that you will sell to people that they can use (or not) freely and they are in control of it. Design the handle so it doesn't splinter and the head so it doesn't fall off. Make a great product. The mind set is user-first. Or "Don't fuck the user"

With the honey trap you are trying to attract pests and trick them to coming in thinking they'll get something special but really they just get stuck. The users are the victims of the trap and you are the trap owner. You are more interested in how to attract and leverage users than how to serve them. The mind set is, how do we leverage the user to make our business more valuable, or "How do we fuck the user?"

Step 1: Sniff out all dark patterns and eliminate them. For example 1 month time limits on preference opt-outs e.g. "I am not interested in looking for a job". WTF?. It should be no time limit on that, and no follow up "are you sure" emails. Be a resource, not another 'shady recruiter'. My hammer doesn't yell at me that I haven done any DIY jobs lately.


One way to avoid making mistakes like this would be to run your big ideas by a handful of average users of your product. Take the information that will be in the eventual announcement, show it to 10 users, and ask for their feedback. Better yet, have a panel of trusted users that advise you.

The reality is, pretty much anyone could have told you this was a bad idea, and that should suggest a process that involves asking someone, and listening to the answer. It's a certainty that people within Triplebyte knew this was a bad idea, and may have even said so. I'm sorry to say that most CEOs I've worked under don't really believe anything that didn't come from a business book or their own brain. Anything else is just one poor idiot's opinion. There are many truths known by the team at large, discussed over lunch and around the water cooler on a daily basis, that the CEO has heard before, but just isn't interested in taking seriously.


“oops we forgot to NOT do the plainly shady wrong thing and make your private data public, for our benefit - thank you SO much for reminding me. Shady shit will never happen again. I promise. ;)”


THIS is how you write an apology letter.

Kudos to @ammon

I deleted my Triplebyte account over this issue. While I’m still somewhat wary, I would now consider using Triplebyte again after this apology. Thanks for posting it!


All they needed to do was to make the feature opt-in. That's it. Encourage it all you want, advertise all of its supposed benefits, but just make it opt-in.

Still, probably too little, too late for most people (myself included) who just saw their trust permanently breached by a brash move and get told by a CEO that you'll love it, honest! All you just need is to understand it! If you don't like it then it's your fault because you don't understand! And this doesn't even begin to address all the dark patterns they've caked in their UX.


For what it's worth, if they'd just made the feature opt-in, I actually think it's a great feature. I'd love a Triplebyte page that I can link to instead of a resume (that's what I originally imagined when I read the email).

I'm a huge fan of Triplebyte, they got me two great jobs I never would've gotten otherwise (I didn't go to college, my resume usually gets automatically tossed). Their mission to fix credentialism succeeded with me. Hope this setback doesn't deter them from building more great things.


I’m a non-technical lurker of Hacker News - a community builder who comes here for credible, thought-provoking news with intelligent comments. First time commenter.

My biggest takeaway from the reaction to this letter is that people seemingly would have rather had this CEO’s sincere and heartfelt words filtered through a PR agency, who would have mangled the genuine sentiments to create sterile and thoroughly-filtered corporate bullshit. People would rather be spoon fed crap from a campaign team than listen to the earnest, well-intentioned, real voice of the person who wrote them. What kind of a world are you creating when you reward an honest, but imperfect, apology with derision and judgement?

I have no stakes in this game. I’ve never used TripleByte’s services to seek employment. I don’t know how to code. But I believe in merit-based hiring, and I would not be so eager to burn to the ground this company that I think is performing a valuable service (to individuals, but also in shifting trends of hiring practices as a whole) over an oversight that they owned up to after a night’s sleep to reprocess.

The world I want to live in is one in which people are hired based on their capabilities, and where people are willing to extend trust and forgiveness to people when they are being honest and owning up to their oversights. The flaws in this letter that commenters are tearing apart make it clear to me that this CEO is a rare example of someone not lying through the teeth of a campaign team. I value that much more than the facade of perfection.


Five years ago I tried out Triplebyte was a HN reader and I tried it out. I got to the point where they would contact me but instead the rules and criteria changed so that I wasn't eligible. I then forgot about the site.

A year or two after I think I tried Triplebyte again but then my account was in some weird state. After complaining on an HN thread about Triplebyte my account was restored. I didn't take the site really seriously at all.

While browsing reddit I used to see constant Triplebyte ads. I think I saw them dry up at this point and that seems to conform to current economic conditions.

Now fast forward to this year and I deleted my account after this public profile idea was announced on a Friday. the whole point about having public profiles is probably a way for Triplebyte to get seen by more people and get some kind of network effect going on since they are in dire straights.

The response that Triplebyte has done is quite admirable in that they aren't launching the feature. Launching on a Friday when people also think that you are trying to bury the story or people won't notice is something to regard.

The thing I don't see anything really different between these new startups attempting to disrupt existing staffing companies. My current job which I am very happy about I got from a staffing agency after going through hundreds of recruiters contacting me.


Can anyone explain why they'd be a LinkedIn data partner yet did this to compete with LinkedIn?

Go to their site and paste this in your console: window._linkedin_data_partner_id


It might be attribution for any LinkedIn ads they're running?


The true part is that the business is in crisis and they were trying to move quickly to save it.

I don't believe that he did not know the impact of the default public option - that is not credible. It certainly sounds better in an apology than "I knew it was bad but decided to try it anyway." The privacy problem is obvious to anyone thinking about it for 10 seconds, and the fact that he would try shows a lack of respect for his users.


IIRC, TripleBye had a vision to be the recruiting division of all tech giants. Big-name companies would centralize their most important recurring, expensive, risky process into a third party to save some money and time. Even when that third party just so happened to be working for all of their direct competitors.

At the time, I thought that vision was a mirage; a recruiting agency grasping for VC dollars.

Now, it looks they're trying to find a new vision.


Well those companies exist right? Accenture, Cognizant, EPAM, etc.

If anything, I’d say Triplebyte hopes to be what those consulting companies are but to startups.

Now, if it turns out startups just have crappy budgets, then you have to lower the barrier to entry into the platform to accommodate those budgets.

Similarly, if you indoctrinate enough of new grads/bootcampers to feel like they need the Triplebyte cert (feeling left out that everyone is in Triplebyte and you’re not? Welcome to the psychological game, behold the public profile and badges), you can then also indoctrinate startups into thinking that’s the standard that they need to be looking for too.

Anyway, devs with enough experience should be out of this game mostly, this will affect the entry level tier of developers going forward. You might be stuck in the damn Triplebyte loop.


Imagine being on the dev team and hearing this. I'd probably quit. Good grief ...

Having said that, it's weird that no-one raised this as dodgy while working on it.


What, just because a feature got cancelled?

Heck, that's every single day at my last job. North of 50% of the code I ever worked on because a C-O insisted it was top priority got thrown in the trash. C-O screwed up, feature won't o to production, hurry up and work on this other thing instead? Oh, I guess it's Tuesday. Paychecks keep coming, I keep workin'....


Seems like it was an entire platform rather than just a feature. I don't know how you do it! I've worked somewhere like that too and I found it so demoralising.

Reminds me of the study where people built things out of Lego, and watched on as someone disassembled them and handed them back to be rebuilt, finding this to be deeply unsatisfying. (well duh)


I separate my identity from my job, and my "work product" from my personal projects. If I get paid to make something for somebody else, it belongs to the person or organization who paid for it, and they can do what they want with it--including burning it down and throwing it away. I already have their money; what they do with their property is none of my business. As long as I know that I did a good job on what was asked of me, that's all that matters--I can be satisfied with my work.

Now, if they tried to tell me what to do with my own personal projects, we'd have problems!


great apology, but doesn't justify the incompetence and initial justifications.

You're telling me that no one on your team has brought up the issue throughout the whole process? That leaves three possibilities.

1. someone brought it up but you ignored it and pushed through anyways 2. Nobody brought it up due to incompetence 3. Both happened just 2 happened late in the process.

Why would anyone trust their data with leadership that incompetent?


This sounds like the best response they could have given under the circumstances, and it's not like they can undo the announcement or the initial response. I deleted my account, and I'd be hesitant to have anything to do with them in the future, but I'm open to having my mind changed if the company winds up placing a higher value on business ethics as a result of this whole thing.


Too late. I deleted my account today.

Though of course it apparently takes 30 days to process an account deletion. Why? Do you guys need to recruit a DBA?


30 days is the maximum time allowed under GDPR. Quite typical to tell people it might take up to 30 days (though it practice I've found it rarely does).


I have no idea what this is, but I'm a huge fan. The reign of Linkedin as de-facto standard has to end. It's unacceptable recruiters expect me to have a profile on some proprietary website. Luckily not everyone is a moron and it's not a blocker in getting a job, but I still hate people asking me about it.


i tried out triplebyte when they were first coming out and i had a negative experience with them. okay fine whatever. on to the next.

then all this hubbub came out. i was annoyed because i had ignored the email like most people until they saw the hackernews post. so i went to their site, spent way too long finding the opt-out flag and was about to close the window when i saw that my "profile" that i never agreed to said i had zero years of programming experience.

i'm actually very upset about this. a company who most people think is "legitimate" is telling potential companies who are looking me up that i have zero experience. they could have cost me a job in the future all because i didn't agree to play their game and fill out their profile.

so no thanks. i've already been put down twice by them.. no real need for a third time now is there?


I haven't received the email yet. Are they canceling the feature altogether, or just making it opt-in by default?

I liked the idea of the feature quite a lot. I'd love to be able to publish select Triplebyte info. It just needs to be something I can choose to do, rather than chosen for me.


I received the email today, then went to check my triplebyte profile. On visibility settings, I saw the default public visibility is still ON. Probably they are cancelling this feature anyway, but still showing showing ON in public visibility seems like another messed up!


PR to pull the visibility toggle from prod is under review. Much of the eng team is out for the long weekend, and we may not merge until tomorrow. However, the public profiles themselves are not in production and we are canceling the feature.


Wow, this reads as incredibly disingenuous considering the glaring dark patterns they were using to try and sell your private data and make more money. I cannot reconcile this apology with the underhanded tactics the CEO was using to promote this now cancelled feature.


I'm re-reading the threads, and I can't stop wondering if this whole mess could have been avoided by simply posting a "Ask HN: As a TripleByte user, would you mind having a default public profile..." question here on HN? Anyway, I still believe that asking your target audience for an opinion is a better way than trying to think instead of them. Steve Jobs might have gotten away with that, but we are not Steve Jobs, or Apple for that matter... Not trying to say that Steve didn't listen to the audience though, I bet he did, but he had some strong opinions on how something should be.


I want to do a bunch more of this in the future.


(thumbsup)


I don’t think this guy can recover trust from here. It’s not just the feature and the email, it’s his indignant and dismissive tone in the comments here afterwards:

https://news.ycombinator.com/item?id=23280137

This comment is the hallmark of a company that doesn’t feel like it needs to answer to users or criticism. They can reverse a decision and send out a tearjerker of a mea culpa but people do not change their nature over a weekend, and I am just not going to trust the man who wrote the comment I linked above.


This is why we need strong data protection legislation, and a regulator with teeth.

No service should be allowed to unilaterally decide what happens to our data, and gross changes to service agreements need to be vetted.


I'm for a competitor to LinkedIn, but I never got an answer to what the play was after opening up profiles. I support TripleByte's mission, yet I don't believe that you have critical mass in both job seekers nor in sway to convince companies/recruiters to change their process.

What was/is TripleByte's plan to "push the industry to look beyond traditional credentials"? [1]

[1] https://news.ycombinator.com/item?id=23280341


The Triplebyte process sounds difficult enough that, paraphrasing one user experience I read: "someone who would pass the Triplebyte interview/process is likely someone who probably wouldn't have needed to use Triplebyte in the first place".

From what I understand, Triplebyte is supposed to help candidates that might be "good", but not getting any traction from applying to jobs (either by themselves or contacting a recruiter). And to skip the phone screen.

However, from personal experience, as a candidate with a less-than-awesome profile and resume, I still get contacted by top tech company recruiters. And frankly, most phone screens are not terribly difficult. So I am confused what the value proposition of Triplebyte is.


For me, I come from a mixed career background which even one manager told me was a red flag to them during the interview process. Triplebyte’s value prop, to me, is in helping my resume get looked at at all. This is great because I’ve generally done very well in phone screens when I can actually get them. However, my comment stems from the experience that bias only gets removed from screening phase. Once you’re onsite, you can still tell which interviewers look down at your resume and suddenly you’re back to square one. Only this time in a high pressure situation where the interviewer has full reign to try and find flaws in you.

As for recruiters, I get contacted a lot but I have yet to meet a recruiter who was willing to work with me to communicate to hiring managers why my resume looks the way it does. All of them just want to drop off your resume and put in no effort in helping you which is no different from cold applying.


This is how people grow. By fucking up, taking some heat, doing a little introspection, and correcting their mistakes.

> Nor in the critic let the man be lost

> Good-nature and good sense must ever join;

> To err is human, to forgive, divine.


Almost got away with it, too, if it wasn't for those meddling kids and their inability to accept that a small violation of their privacy would have a big impact on my bottom line.


It seems to me that this is some sort of last-ditch effort. The fact that this was even considered in the first place shows a massive misalignment between Triplebyte and the type of users it is intended for. Engineering types are less likely to use LinkedIn/Social Media in general, and having a total disregard for privacy is something that generally does not fly well for us.

I’m glad the decision was reevaluated, however there needs to be more work done to re-gain the trust of the community.


Personal thoughts for ammon, hoping @dang hides me, please hide me @dang.

Ammon,

You single handedly destroyed something you created but I can relate and feel what you might be going through ATM.

It will suck and it will leave you with scars that'll be hard to come off and stick for the foreseeable future.

Eventually, You'll come out of "it realizing this decision and reversal of an easy growth idea with hard execution and be subjected to it on target vocalists on HN"

You'll do better, never stop because of internet shit.

- Be Good

(Random individual, doesn't matter)


I am happy that he reverse his position. I think once they keep providing value to their user in mind that they should be in good stead. Even if this idea falls apart, and users see that they genuinely tried to provide value, users would not mind taking a chance on them the next time.

Right now they are in a hole, but I think providing value will definitely dig them out of that hole.

I think the first act of good faith can be removing dark patterns, allowing users to unsubscribe easily from your service.


I didn't get the apology email. I immediately ask they delete my account which never got a response either when I got the public profile email.

I asked them to delete my account a couple years ago as well and they never did then either.

I will never, ever trust this company or use their product. There are other options out there just as good and not sketchy.

PS I like how the email went out on a Friday night too, even more sketch to try and limit # of people who opt out.


I haven't received the apology e-mail either. The only action I took though was to rummage around the profile preferences to find the setting to turn off public profiles.

I wonder if they're sending the e-mails out in waves or if they're only sending them to users who still have the feature enabled?


I’m curious to know from anyone who has hired through triplebyte - has the quality of candidates been consistently better in terms of success at the company post-hire than it has through your previous recruiting efforts? Also, for a candidate that comes to you through triplebyte do you consider them vetted and are just interviewing for cultural fit at that point or do you still put them through your own hiring process?


Hopefully this proves to be an illustrative lesson: the best apologies are almost as good as not doing something that requires an apology at all.


Until we make crap like this illegal, companies will always be incentivized to abuse our rights -- even at the cost of their leaders' credibility.


I’d be very curious how many account deletion requests happened.

This is interesting in that it’s the new GDPR / CPPA era where users were legally protected to request the complete deletion of their data. Something that Triplebyte would have had no obligation to do in the past. Are we seeing a change in that violating user privacy can have a meaningful negative impact on a company?

Interesting developments


We've seen about 2k account deletions since Friday.


~2k account deletions in just 3 days is a lot. Would be nice to get a ballpark on the total number of accounts?


I'm proud to have been one of them.


I don’t know what value triplebyte provides in a sea of similar sites. I am sure this was an attempt to do some vertical integration and build differentiation from their competitors. It backfired. I can see why did the public by default thing as that way they can force themselves as a LinkedIn clone. It backfired and they retreated a little bit. They will be back


I saw the initial note and didn't think about it much. Figured a public profile was fine for me. For what it's worth, I found good work through Triplebyte at a time when I really needed it and other sources were not panning out. Even if I felt affected I would be inclined to give them a pass on this as long as I could opt out easily.


that's the kind of response from a ceo i want to see. normally, i would just expect “We did something that was unpopular. please buy our other product. also, the word apologize occurs somwhere here but it does not carry any of its significance” but this ammon person actually explained what he did and why


An action will not be upright unless the intention behind it is upright, for the action depends on it." Seneca


Um, so you... failed to check a pretty glaring "edge case" is what you are saying? You maybe failed to optimize the solution, is what you are saying? Ok. Fortunately, this glitch— although certainly catastrophic— is a weakness in analysis and execution that can be practiced over time.


This is why we need data breach laws -- to which dictated Terms of service's must abide. You can't write in a TOS "we have the right to kill you"... it should be the same way with data -- any changes to the scope of how and to whom data is accessible must be approved.


Regarding the previous post: "WTH TripleByte". Regarding this post, "Thank you".


I understand the anger by some users, but why punish those (like myself) who were quite interested in having a public Triplebyte profile?

I think they should go the middle road: make it opt-in. If you do nothing, nothing changes, but if you want a public profile, you can get one!


Tangentially related topic, but I never found success with Triplebyte, 2 times I tried them. I found that their companies' selection is too small compared to competitors.

Also I heard from a company that used them that they are expensive.

Not to mention cringy ads on Reddit.


While this does seem like a heartfelt apology from the CEO, this incident is a reminder of how much of our privacy we willingly hand over to companies and how much power they wield over us. It is immensely disturbing.

I will not be using Triplebyte’s services.


I feel sorry for them and Ammon in particular and I think this can be turned around but that mail and that feature seems like only the icing on the cake from what I can see.

It seems to me there's a whole cultural problem going on.


In terms of corporate apologies this is amazing. Kudos to them and the CEO.


Funny enough, the email announcing this went to my spam filter on Gmail.


I sent an email to them a couple of days ago, requesting my account to be permanently deleted since I did not want my information to become public. Glad to see it got reversed :)


Url to delete your profile, if unfortunately you have one.

https://triplebyte.com/privacy-center


Why are people using this crap instead of portfolios and filtering crap jobs? You don't want to be working for these types; you can own and operate as a business.


I sent an email a couple of days ago for them to delete my account permanently - because I did not want my info to become public. Glad to see it got changed


The public profile feature was not a great decision, but Ammon revoking it in two days and sending an apology to everyone is extremely respectable.


Not fending for triplebyte at all here, but what do you all have in your Triplebyte account that isn't on the web somewhere already anyway?


> As CEO, this is my fault. I made this decision. Effective immediately, we are canceling this feature.

I'd love to know the dynamics behind such decision


dynamics:

“oh shit, the public is now aware of how broken my moral compass is.

let’s continue to frame this internally as a “PR” problem rather than address the difficult reality: a light being shined on our apathy toward our users and our willingness to ruthlessly sell people out until we get minted”


It's good they sorted this out, their product seems like a great idea, and I was not aware of their service prior to this incident.

Good on ya Ammon!


Nothing to see here. Ammon has tried a bold move to chase big money, used a few common tricks (release on Friday night, opt-out and other dark patterns), it didn't pan out and now he's doing damage control. When the dust settles, he'll give this idea another try.

This is all from a corporate playbook, but it seems Ammon hasn't read the entire book. There's a chapter there that tells how to systematically manufacture situations where all the blame flows downwards while all the rewards flow upwards, so when a bold move like this pans out, credit for it would go to the top, and if it fails, blame goes to the bottom. Basically, he should've created a clueless VP of business relations or something of that sort, manufacture the situation where the only way that VP can get a fat bonus is by implementing this shady move (the idea should be delivered via another channel to have plausible deniability later) and watch the action from his armchair. And when it's failed, blame that VP for too much eagerness and fire him with a golden parachute.


I think this is an overly cynical take on things.

Consider the fact that if Ammon had fully considered this rollout, it would be very obvious to him that this would be the response. The legal ramifications would also have been obvious.

I think the only reasonable explanation is that it wasn’t fully thought through. I think his business being hit hard by the pandemic is a reasonable explanation for that. There’s no way TripleByte isn’t hit hard by this. Rushing a major feature out is exactly the kind of thing he’s supposed to be doing right now. It seems he just thought too much on making the business and tech side of the feature successful, and didn’t give enough time to the human and legal side of it.

Personally I thought his email was way more introspective and revealing than it even needed to be, and I think he’s being genuine.


I don't know Ammon, but I don't think he's chasing "big money".

The best founders I know, when they make mistakes like this, aren't doing it for the money. They're doing it because they are trying to create the world they want to see exist, and that blinds them a bit. In this case, I genuinely believe Triplebyte just wanted to have a bigger impact on the hiring world, and try to fix it for engineers. Did they fuck up badly? Oh yeah. But I don't think it was for "money".

Triplebyte has 33 employees. They don't have VPs getting "fat bonuses". They don't have "golden parachutes". Look at their about page (https://triplebyte.com/about), it's all engineers and designers and CSMs. They're just a group of people doing their best to try to fix something we all hate (technical interviewing/hiring).


I interviewed with Ammon when the founders were running interviews themselves, and after a not-great interview he still stuck around with a junior to just talk tech for a good while. He left a really positive impression on me.

I see them as mission driven, this was a bad step but I trust that they're still focused on trying to fix a broken hiring system.


Triplebyte wants to go toe to toe with LinkedIn profiles and take the gatekeeper throne from it. Once it has the throne it can do anything, forget about fixing the world.


> When the dust settles, he'll give this idea another try.

This was my reaction when the word "feature" was still used in the apology. If it creates risk or user unhappiness, we call it a bug, not a feature. It's like calling mitigations for spectre from Intel a "generous rollback of performance features".

> Basically, he should've created a clueless VP of business relations or something of that sort

reminded by of the Gervais principle which I learned about from this nice article

https://www.ribbonfarm.com/2009/10/07/the-gervais-principle-...


The feature is public profiles, and I for one think it’s a neat idea to make a better alternative to LinkedIn for developers. This whole mess was not about the feature, but the way it was going to be rolled out at short notice to everybody who hadn’t explicitly turned it off, which is very different. I think Ammon himself put it best:

> I still believe there's a need for something like this. But to release it as a default public feature was not just a major mistake, it was a betrayal.


Wait, so he’s following the classic playbook about how to screw over your users and get away with it, but he also forgot to read and follow the part where he gets away with it?

Isn’t it more likely that he just made a mistake, realized it, and apologized? You can reject the apology, of course, but it doesn’t seem like you have any evidence that it’s not genuine. In fact, the evidence you claim (“classic playbook”) you then invalidate immediately after (“he clearly forgot half the playbook”).

If someone makes a mistake, is there just nothing they can do to ever convince you it was not pure maliciousness? It seems like even an apology is then taken as evidence of ill intent. Why would anyone ever reverse course or apologize under your view?


I think the reason why this seems more likely to be malice is because the CEO's initial reaction to the backlash was not to listen to and understand the feedback, but to repeatedly try and justify their actions. To go from commenting all over hacker news about how you aren't doing anything wrong, to sending out an email completely reversing your decision a couple days later, makes it seem like the apology was more motivated by trying to do damage control rather than genuinely thinking their actions were wrong.


I was on the original thread. He made a few comments over the course of a couple hours, if that. He wasn’t “all over Hacker News”.


You're right that the CEO wasn't “all over Hacker News”.

But the parent is indeed correct in implying that the comments he did make were anything but receptive or conciliatory.


Right, but that seems completely in keeping with his version of events. They announce this is coming without much consideration and then later he finds himself under scathing attack from HN, reacts badly and leaves some defensive comments, then takes a couple days to think about it, realizes he was wrong, writes a very good apology email.

That all makes sense, this isn’t the end of the world, can we just move on, please?


Yea that's fair


Often, the driving force of such moves is not the founders, but investors: the company accepted a generous investment in past and had to sign a contract where the investor may wind up the company if the returns are low. In other words, it could be that Ammon was given a choice: triple profits by end of year or sell his share.

Regarding your question. Mistakes and apologies are words from the lexicon of normal emotional people. Companies, on the other hand, are soulless profit driven maniacs and their lexicon has words justifiable, plausible and profitable. When a company gives an apology, it's because it deems this combination of words the most efficient way to influence its user base and minimize damage (to profits) just done. People who run companies usually embrace this mindset if they want to get rich.


> it could be that Ammon was given a choice: triple profits by end of year or sell his share

That seems unbelievably unlikely.


Pardon my ignorance, but what insight or experience leads you to this conclusion?

Venture capital is quite the opposite of passive investing. I guess everyone on here is well aware investors are not doing it for fun but first and foremost for protecting and, ideally, multiplying their assets.


I doubt many VCs would see swapping out a founder as improving the outlook of the company, particularly when the issue is the general macroeconomic situation rather than an issue with the founder. Founders are a huge part of the valuation of a company - they've spent years learning their market and how to build/run their company. Once a company hits a certain size, you'll see professional CEOs brought on sometimes, but I would think Triplebyte is too small for that. At ~30 people would the company even survive founders being replaced by VCs?

VCs also like to be able to attract the best founders by being 'founder-friendly' and replacing a founder hurts that image. Starting a company is hard enough - you don't really want investors who add to the pressure.

From what I've heard, COVID seems to have stopped new investments (outside of companies that have gotten a boost from COVID) so that VCs can focus on their existing portfolios.


Are you in a position where you have been offered this? No founder I know has.


He did the next best thing outside of not releasing the feature in the first place. Credit to him, many companies would double down or ignore HN (a very small community relative to Triplebyte's userbase) completely.


I agree with you, although I think the opposite is true about the size. I imagine Triplebyte is a small subset of HN's userbase.


I created an account back in mid-2018, when I wasn't exactly happy with my employment situation. I didn't use Triplebyte to interview anywhere, but I left my personal information on the site. Fast forward to the present, I now work for a different company where I am actually happy. The post on Friday didn't sit right with me, and neither did the obtuse response by the CEO. I wouldn't like my profile to suddenly show up in a job hunting site.

But, the damage is done. I ended up deleting my account over the weekend. The process to do so wasn't as convoluted as some said it would be, it only took 1 hour.

P.S. I didn't receive the apology letter, so at least I got taken off the mailing list.


In your hypothetical narrative I would say that Triplebyte's investors would be the Machiavellian operators setting up a situation where they stand to gain from the company's risk and be shielded should it go badly. After all, investors in high growth companies are looking for one or two massive wins out of a portfolio of numerous companies and can justify such risks. The founder and CEO of such a company doesn't have the same risk profile since all of their eggs are in one basket.

To be clear, I don't have any reason to believe that this is what happened and I think such narratives are more appropriate for works of fiction. Reality is far messier.


Your critique is a weird way of saying “they could have done worse.”


This sword was always hanging above the heads of Triplebyte users. The mistake was causing the users to look up.


Hold up, a company that secretly recorded interviews without consent found other ways to violate user privacy?


So is triple byte safe to use after this ? Or should I just use another service?


Should have known there'd be outrage and never done it in the first place.


Scummy move, scummy response. If you truly thought this feature was something valuable for your users, you wouldn’t just cancel it entirely, and you wouldn’t have dumped it on a Friday night. But it’s cool, most businesses are scummy. Foolish for us to expect otherwise from you.


it's ok, they are admitting the mess they made and it is ok


Not sure how you could get this so, so wrong.


please dont call this sort of thing a feature


> Triplebyte can’t function

Looking forward to that.


I don't think I will sign up for Triblebyte anytime soon.

Having a middle-man in the interview process can result in depressed wages.


They’re not a middle man though. They just let you skip to the final interview. Passing or failing that is up to you. Also, the only advocating they do is saying: “John/Jane Doe knows this much: ...”


Have you actually used Triplebyte? You're required to provide an expected salary range as part of your listing. And yes, you can technically provide an open-ended band (e.g. $0 - $999,999) -- can you guess what happens if you do that, and why Triplebyte advises not doing this, even though you have the option to do so?


Yes I have used TripleByte. I haven’t gotten any job offers (probable due to interviewing in February right before COVID-19 went big). So I’m aware of how their system works.

And I stand behind my claim that they’re not a middle man. A middle man advocates for you, and sometimes even handles all the back and forth. A recruiter is a middle man. A hiring agency isn’t.


>A middle man advocates for you

Triplebyte is doing this by making you pass their assessment prior to listing you. Your presence on their platform is them selling you up.

Even if they do nothing but provide an introduction between you and a third party, and have no involvement whatsoever after that (aside from taking some sort of cut), they are still a middle man, because the connection was made through them, and they vetted your skills and qualifications.

It's not like LinkedIn, where you can just auth with a phone number and then put whatever you want on your profile. Triplebyte, as a company, is personally vouching for you by allowing you to appear on their platform.

>sometimes even handles all the back and forth

So you're saying some middle men handle all the back and forth, but not all. So is this a factor for whether they qualify as middle men or not? If so, why not just say they all do? If not, why mention it?

Hired.com is very similar to Triplebyte, and I don't see how you can argue that they are not a middle man.


> can result in depressed wages.

I’m (genuinely) curious how you think this could happen? When I went through Triplebyte they were eager to give me tips for negotiating a higher salary, since their commission is based on a percentage of the candidate’s first year salary.


it seems like heartfelt apology


wtf, had a bad experience interviewing with them.


are they in europe?


are they in euro?


its not good one


... (continuation of Triplebyte email)

Rather than safeguarding the fact that you are or were job searching, we threatened exposure. Current employers might retaliate if they saw that you were job searching. You did not expect that any personal information you’d given us, in the context of a private, secure job search, would be used publicly without your explicit consent. I sincerely apologize. It was my failure.

So, what happened? How did I screw this up? I’ve been asking myself this question a bunch over the past 48 hours. I can point to two factors (which by no means excuse the decision). The first was that the profiles as spec’d were an evolution of a feature we already had (Triplebyte Certificates--these are not default public). I failed to see the significance of “default public” in my head. The second factor was the speed we were trying to move at to respond to the COVID recession. We’re a hiring company and hiring is in crisis. The floor has fallen out on parts of our business, and other parts are under unprecedented growth. We've been in a state of churn as we quickly try various things to adapt. But I let myself get caught in this rush and did not look critically enough at the features we were shipping. Inexcusably, I ignored our users’ very real privacy concerns. This was a breach of trust not only in the decision, but in my actual thought process. The circumstances don’t excuse this. The privacy violation should have been obvious to me from the beginning, and the fact that I did not see this coming was a major failure on my part.

Our mission at Triplebyte has always been to build a background-blind hiring process. I graduated at the height of the financial crisis as most companies were doing layoffs (similar to what many recent-grads are experiencing today). My LinkedIn profile and resume had nothing on them other than the name of a school few people had heard of. I applied to over 100 jobs the summer after I graduated, and I remember just never hearing back. I know that a lot of people are going through the same thing right now. I finally got my first job at a company that had a coding challenge rather than a resume screen. They cared about what I could do, not what was on my resume. This was a foundational insight for me. It's still the case today, though, that companies rely primarily on resume screens that don’t pick up what most candidates can actually do--making the hiring problem much worse than it needs to be. This is the problem we're trying to fix.

We believed that we could do so by building a better Linkedin profile that was focused on your skills, rather than where you went to school, where you worked, or who you knew. I still believe there's a need for something like this. But to release it as a default public feature was not just a major mistake, it was a betrayal. I'm ashamed and I'm sorry.

Triplebyte can’t function without the trust of the engineering community. Last Friday I lost a big chunk of that trust. We’re now going to try to earn it back. I’m not sure that’s fully possible, but we have to try. What I will do now is slow down, take a step back, and learn the lessons I need to avoid repeating this.

I understand that cancelling this feature does not undo the harm. It’s only one necessary step. Please let me know any other concerns or questions that I can answer (replies to this email go to me). I am sorry to all of you for letting you down.

Sincerely,

-Ammon


I'm going to inline this text into the top post so that everyone can read it. (Edit: that's done, and I deleted "continued in comments" - normally I'd ask for permission first, but in this case it seemed better not to wait.)

You probably split the post up this way because the software told you the text was too long. Tip for the future: you can get around that by clicking 'edit' and adding the rest later. Don't tell anybody :)


Would you mind also doing that thing where the comment is collapsed by default? I spent way too long trying to figure out what was different about this text compared to the email or the top post before I skipped down and saw your explanaion.


Ok, done.


Thanks!


correct, and thanks, i'll keep it for myself :)


Thanks for the tip! I won’t tell anyone either :)


How did you manage to submit this? I tried to submit it myself about the same time you did but got an error that the text could not be more than 2000 characters. How did you get past this limit?


They originally put a prefix in the root text and the rest here: https://news.ycombinator.com/item?id=23303045. I inlined it. You can get around the limit by using 'edit' after a post is up.


Heh, that'll teach me to try to follow the rules. All that karma, gone! Gone, I tell you!!!!

;-)


Luke 17:4 and if he sins against you seven times in the day, and turns to you seven times, saying, ‘I repent,’ you must forgive him.”


Single-purpose accounts aren't allowed on HN, and the religious material is off topic, so I'm afraid we've banned this account. Nothing against Jesus.

https://news.ycombinator.com/newsguidelines.html


It takes more than one person to design, approve and implement this feature. Ammon is trying to take the heat for a decision made by multiple people.

Right now, Triplebyte on a resume doesn't tell me anything very positive.

Why hasn't their VP of Growth or the Product Manager of Growth said anything on the subject?

People should be held to account. Working for a startup, it's easy to figure out who's to blame for these terrible ideas.


Sorry, but it's not ok to look up people based on their employer and drag them into a thread like that. That's a trope of the online callout/shaming culture, and we don't want HN to go that route.

https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...


Sorry Dang, I did check the guidelines on this. If I remove the names and only kept the titles, would that be acceptable for HN?


I'm really not sure. If the spirit is still to shame them or demand that they account for themselves, maybe not. If it's to make a more general point about organizations, maybe. If you had just included the titles and not the names or the links, I wouldn't have replied, so I guess the line is thereabouts.

It's true that the guidelines don't spell everything out, partly because that would be impossible, partly because beyond a certain length no one would read them, and partly because if they were written in a more legalistic or formalistic way, people would take them as sort of a bitmask, everything in the inverse of which must be ok. That's definitely not how things work here. We want a spirit of the law, not a letter of the law kind of place. I guess I've been saying this for a long time: https://news.ycombinator.com/item?id=7606756.


That's fair. Can the names in my post be redacted? It still shows up in DDG. I tried to edit it earlier after your response, but I left it too late.


I've reopened your comment for editing so you can modify it.

Edit: just to close the loop on this, the way you modified your comment does actually seem fine to me, so this was a nice test case of probing where the line actually should be. Thanks!


Is this really the place to call out individuals? Maybe it is. I don't know.

But in today's call-out/shaming culture, I think we'd all be better off if we held back the urge to call people out like this whenever we can. The leader of the company has already taken responsibility and he's here replying to people in real time. No matter how we feel about the situation overall, calling out more individuals seems to server absolutely NO purpose.

Maybe I'm wrong, but if I am then I just won't participate in these sorts of discussions any more.


FWIW, Ammon said elsewhere in this thread that his Product Manager did raise this issue with him and that he dismissed it.


Head of Product. Aaron.

This feature was still developed and pushed by the Growth team, which obviously don't report to Aaron, as they have their own VP.


Thanks for the correction!


Oh boy. Where do I begin?

Rather than safeguarding the fact that you are or were job searching, we threatened exposure. Current employers might retaliate if they saw that you were job searching. You did not expect that any personal information you’d given us, in the context of a private, secure job search, would be used publicly without your explicit consent. I sincerely apologize. It was my failure.

How about we stop giving our data to third parties just so we can use their software.

"The Cloud" is a corporate euphemism for "extreme centralization of data in our servers".

And "Software as a Service" is even worse, because it basically says you are RENTING the software, and trusting them to do "the right thing", including and especially with your data.

This is insane. It's 2020. Why are we doing this? One reason: we don't have a good open source alternative that can be hosted on many different places. Such an alternative should actually be end-to-end encrypted, and the hosting should be just redundant dumb boxes earning cryptocurrency for storing something.

So, what happened? How did I screw this up? I’ve been asking myself this question a bunch over the past 48 hours.

What happened was the same thing that happened 17 years ago when Mark Z laughed about the "dumb f$cks* who "trusted him" with their passwords. To quote the excellent V for Vendetta speech:

How did this happen? Who's to blame? Well certainly there are those more responsible than others, and they will be held accountable, but again truth be told, if you're looking for the guilty, you need only look into a mirror. I know why you did it. I know you were afraid. Who wouldn't be? War, terror, disease. There were a myriad of problems which conspired to corrupt your reason and rob you of your common sense. Fear got the best of you, and in your panic you turned to the now high chancellor, Adam Sutler. He promised you order, he promised you peace, and all he demanded in return was your silent, obedient consent.

Look, I'm biased. I have put my money where my mouth is and am building this reality (https://qbix.com/platform and https://intercoin.org). I have historically been downvoted for even mentioning that I am doing tangible things to solve this and give away the software. But I persist in doing so because it's better to actually build the alternative than talk about it endlessly. The Impossible Burger will do more for veganism than decades of talk ever could.

If you want to join this effort, email greg at the domain qbix.com . But whether you choose to support Mastodon, Matrix, IPFS, Dat, MaidSAFE or whatever, realize that we need to move towards a future where infrastructure is decoupled from power over your data. Your data should be encrypted and only enough shared for indexing. It should be provable with verified claims and zero-knowledge proofs, but only with your consent.


TripleByte is literally the perfect example of a company that should be centralized. They work because they have a reputation that companies can trust. Trying to make it decentralized takes away any value that TripleByte provides.


Given that interviewing is a skill unto itself which needs to be practiced, what happens to candidates who need to take a few interviews before they start hitting their stride. For me, I can see that using Triplebyte once the candidate is "warmed up" makes sense.

If TripleByte was the only game in town then a new candidate would fail their test and then it is game over. No more job search.


I agree with your concerns about a monopoly, but just wanted to respond to your point about needing to “warm up”: Triplebyte gives you a free practice interview that doesn’t count (unless you ace it), and also lets you retry in a few months if you fail the actual interview.


That's exactly right, it does take away that value from TripleByte and gives it to everybody. The value that TripleByte provides is because of the current state of technology.

Take for example the telephone industry. We had telephone switchboard operators, and it cost $1-3 a MINUTE to make overseas calls. You could make the same argument: "AT&T is the perfect example of a company that should be centralized. They have a reputation for connecting your calls reliably, and you trust them to not broadcast your calls to others. But, of course, in the last 20 years the Internet has introduced Voice over IP and now ANY company can provide faceless, nameless infrastructure and get paid, while your calls go end-to-end encrypted via the wire.

Are we all better off? Yes! Having decoupled infrastructure from power over your data (calls), we have dropped the cost to zero. We went from monopolies and cartels and feudalism to "dumb pipes". We have videoconferencing right now, something unimaginable 20 years ago not just because of bandwidth but because there were "perfect examples of companies that should be centralized" and "reputations that we can trust". There is far more at stake.

In the past, we had human calculators, printers, mailmen, etc. They provided a lot of value. Lots of industries did. Today we don't. Don't blame TripleByte. Blame the lack of good permissionless, encrypted alternatives.


Unfortunately, TripleByte’s solution has nothing to do with technology. When a company is looking to hire, the reputation of TripleByte means that they can trust that whoever TripleByte gives them is high quality. It’s work just as well if TripleByte didn’t even have a website and required all their candidates to come into their office - that’d just need a lot more capital and be discouraging for potential users. That’s different from the type of trust that AT&T had, where you’re trusting the quality of the software but not their trustworthiness to not lie to you. (Although there is some of that when you’re trusting that generally people can’t listen in on your call)


I hear you. And yes, this reputation thing is different. But how do we know we can’t decentralize this trust?

Remember, the phone company was the canonical example of a “natural monopoly” by economists even including Milton Friedman. That’s why I chose that example. It eventually got decentralized too.


Not trusted so much now.


"Never let a good crisis go to waste"?


Please explain the meaning behind your words explicitly.

I am enjoying my -3 downvotes at the moment, waiting for my post to be flagged for daring to speak to the root of the issue.

The root of the issue is not TripleByte. Don't blame TripleByte. Blame the lack of open source, end-to-end encrypted alternatives. Why is saying this such a scandal?


Now, this is a good apology, compared to some other pieces of the genre I have seen in my life. Looks believable.


Now apologize for spamming my inbox without an unsubscribe link.


Not a good look from all the pro-privacy folks here to redouble your criticism after you got what you wanted. Assuming good faith is part of the HN guidelines, so let's give Ammon benefit of the doubt here as well.


I agree - it's as good an apology as it gets. Let's honour this and react more positively than had Triplebyte send a non-apology apology.


Why are you under such tremendous pressure? It is this a desperate move of a company finally going out of business or a result of an extreme pressure from the vc side?

Who has accessed the data already? Not only directly but indirectly as well? Have you received any compensation or settled any transactions by exposing the data?


We're under a lot of pressure because of the COVID crisis. We did have layoffs, but we're not in immediate danger of going out of business. The pubic profiles were set to go live next week, but this is now not happening. No data has been accessed externally.


They didn’t expose any data. The feature wasn’t live yet.


"The new profiles will be launching publicly in 1 week" It means a preview was already available in a limited way.


No it doesn’t. It means they finished a feature and were making it live in a week. Nowhere in that statement implies that there’s a limited beta.


Nowhere it implies there isn't.


You’re moving the goal posts and asking me to prove a negative. Absent any evidence that there was a limited beta, we can’t assume there was one.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: