I'd say it was both. I wanted to move against LinkedIn profiles, I thought that opt-out was the way to get critical mass, and I screwed up and did not realize how large a privacy violation this was.

> I thought that opt-out was the way to get critical mass

But what about following every dark pattern in the book to prevent people from actually opting out[1][2]? There was not even an option to opt-out indefinitely.

It seemed like an extremely carefully engineered effort to trick the users. How can something like this be considered "unintentional"?

[1] https://news.ycombinator.com/item?id=23280040

[2] https://news.ycombinator.com/item?id=23283237

Regarding [2] This is extremely bad, like Google+ forced-real-name-policies bad..!

(For those who wonder: that and the Buzz incident made lots of people hate or at least distrust Google.)

Why why why do companies do this?

During the last 6 months I've stopped logging into Stack Overflow. It is a nice resource but for me it is read only for now because they messed up so hard - and refused to come up with a real apology.

Same goes for Quora: they betrayed us hard by trying to tell everyone what we were looking at. (Edit: next sentence added later:) Now imagine you've been reading up about health issues and realize it is suddenly on your profile. Still now, many years later I shun them as they haven't as far as I see come clean.

In some cases, if it get caught early enough, just saying: "we messed up, sorry, here's what we will do:" can be enough.

In other cases - where there are layers of bad patterns, lies and contempt for users and volunteers I actively want to punish them until they start behaving.

Quora (broadcasting sensitive information), Google (trying to kill the web, insulting me with insanely misplaced ads for years, trying to kill Firefox), Stack Overflow all goes on my list of companies that I actively work against, but I guess only until I see real change ;-)

I think I missed the SO news. What happened there?

They kicked a mod (Monica) who dared to ask questions about the implementation of their new policy regarding gender words.

IIRC Monica asked if would be OK if she (or someone else?) wrote in a way that sidestepped the whole issue, for example by writing about "the user" instead of "he and/or she".

Again IIRC they leaked information to newspapers, misrepresented the case and issued one or more non-apologies before trying to pretend nothing had happened.

> But what about following every dark pattern in the book

If the goal is to run after LinkedIn it seems a logical way to go, but they have a very strong head start on that.

Kudos for owning up straight on this.

I think LinkedIn is a massively privacy violating service, and alternatives are a very good and important thing to see. I would add one comment though perhaps helpful in the future:

One reason people here take such a vigorous stance against startups doing these kinds of "dirty tricks" is because they want real alternatives that treat them as more than a number of a row in a database. The incumbents will use opt-out techniques and consent walls, and dark patterns to grow.

But at the end of the day, they're being valued by the number of rows in their database. It seems there's a real potential to have lots of (but fewer) rows in your database, but for them to be actual valued users who get value from your service, and you make money from. Hyper growth scaling doesn't always have to be the only way. A curated network of a focused and high value verified demographic is likely worth orders of magnitude more than the incumbent, without any data selling or shenanigans.

> massively privacy violating service

And that's saying it gently.

Not sure if they're still doing it, but the way they were harvesting e-mails and then using them to spam the harvested contacts, they were no better than any other phishing site.

For people who use the same password on LinkedIn and their e-mail account, it was extremely easy to accidentally "consent" to this, and I've seen many an apology to the spam victims from someone who accidentally gave access. And they would spam everyone multiple times, with no way for the recipients to stop it. (They paid a $13M settlement for this; gladly, I assume).

It still boggles my mind that e-mail providers didn't both block LinkedIn's IPs from accessing contacts and spam-can everything from their mail servers.

Agreed - I think they stopped doing this, but I am still tempted to make a GDPR complaint on the basis I have never consented to receiving contact from them.

Looking back at my email archives, I was still getting "X's invite is awaiting your response" emails in October 2018, after GDPR began.

Perhaps I am taking an overly strict view here, but given my email address is my personal data, no amount of consent (or indeed waivers/warrants from users that they have my consent, which LinkedIn has no genuine reason to believe true) can grant them permission to store and process my personal data.

It seems nonetheless unavoidable for LinkedIn to have carried out the process of linking my email to the person that sent the (unsolicited) request. This kind of behaviour is really rather scummy. I hope that invite spam could be a separate case on the basis of a GDPR violation, rather than the "accidentally going into people's email and getting their contacts" (as incredulous as it is to even write this!)

Let’s be honest. This was out of desperation. Without this pivot Triplebyte was dead. And now it probably is anyway.

Ammon, the big money is going to be chasing cost savings as more remote workforces can now take advantage of overseas labor. The perfect storm of cost reduction pressure and remote workplace growth gives Triplebyte a great position to be the front runner in helping companies find less expensive overseas talent.

> Let’s be honest. This was out of desperation. Without this pivot Triplebyte was dead. And now it probably is anyway.

IMHO, that's the saddest thing about this. Triplebyte has a niche where they can provide value to companies and job seekers. But producing an objective analysis of someone's coding skills is expensive and doesn't scale well. They could make millions every year but it's not and never would be a billion dollar company. And it's too bad that millions is not good enough.

Applying a marginal amount of business accumen: there's other ways to get from millions to billion(s). They don't have to further monetize engineers. There's companies looking for all sorts of talent, beyond software engineers, in fact 99% of hiring is for non-software engineering roles. You can't get blood from a stone, but you can expand your total addressable market.

It's too hard to scale and protect margins. If Triplebyte proves out a business model you'll get a bunch of Triplebyte for X competitors. For example, someone will start the equivalent of Triplebyte focused on DBAs another for Erlang devs, another for embedded, etc.

Wouldn't a growing company that needed to hire for several different roles rather deal with a single service than a separate service for each specialty role?

Yeah, I'm not saying there's not a viable business there. Just not one that's going to be worth a billion dollars in a couple years.

Right; s/he is saying that Triplebyte needs to be 'Triplebyte for X.'

He was honest and completely addresses this

> The floor has fallen out on parts of our business, and other parts are under unprecedented growth. We've been in a state of churn as we quickly try various things to adapt. But I let myself get caught in this rush and did not look critically enough at the features we were shipping.

In fact that paragraph is what made me accept his apology. The reflection and honest answer of how he decided to ship this feature was more than any company apology I've heard in the past.

While for me, that paragraph highlights his untrustworthiness...

"Money got tight, so we decided to monetise your sensitive data!"

Good on you for doing this- I think the apology is great and shows TripleByte listens to feedback. I also think that taking on LinkedIn could be amazing for the broader ecosystem- LinkedIn is terrible, and anything competing against them would be awesome, so I wish you luck.

> I screwed up and did not realize how large a privacy violation this was

Riiiight. You didn't realize how big it was because you didn't care, until it was clear it was going to have a serious negative impact on you. You didn't care about the privacy of others or otherwise you wouldn't have made the choices you did.

Hey, I was complaining at you in the previous thread, so I feel obliged to say thanks for the apology and the reversal. I think the feature, IFF opt-in, is a good idea.

Thanks!

Do you have a Chief Privacy Officer? Or Chief Information Security Officer? Was the issue raised and the privacy impact miscalculated (not ideal, but mistakes happen) or were the potential privacy implications overlooked entirely?

We do not have a Chief Privacy Officer or Chief Information Security Officer. The issue was raised by our head of product and I dismissed it. I saw it as a minor concern (I'm ashamed to say).

Next time: pass it by your lawyers for a quick review if you can't trust your own judgment on things like this. Ditto for all the dark patterns you are still using today on your website, clean up your act. Note that you are firmly in the crosshairs of the EU data privacy watchdogs and that the fines are nothing to sneeze at, if you expect to establish and maintain a foothold in this market realize two things:

- trust is a crystal ball, you can drop it and break it, patch it back together again but it will never ever be the same way it was before, it can only degrade

- if you plan on being a player in this field you will have to take the privacy of your users serious, this includes doing your privacy and security reviews by the book because if there ever is an involuntary disclosure what you've seen in the last couple of days will come back hundredfold.

This is good advice, but I'll add to it. Your general counsel is an acceptable, but not great, substitute for a real VP-level privacy officer. Lawyers tend to look at privacy issues with an eye towards compliance, i.e. does this privacy issue subject us to regulatory scrutiny or open us up to lawsuits? They don't always look at these issues from the point of view of "What is our company's philosophy around the sharing of our users' data, around providing transparency and control for users, and does this feature align with that philosophy?" A dedicated privacy professional will explore that question deeply.

In my opinion, in 2020, any company that releases software and has more than like 20 engineers should have at least one VP-level privacy approver who has the power to block releases.

I hope you went back to Aaron and thanked him for that input and perhaps apologized for dismissing it. It can be really frustrating to lead something and have founders/execs shoot down your professional input, ideas, or concerns because... Well, why did you?

Though you are small and do not have an official chief privacy officer or CISO, do you have personnel that are champions of those desires? If not, nurture or acquire. If so, listen to them. This is 2020. If you look at Zoom, you can argue that security and privacy can come later, that the market will do anything for features and forgive any security or privacy faux pas. You would not be wrong, but such a calculus is what people in this forum are objecting to. People mainly feel bad that the economic incentive for privacy is weak. Are you following GDPR? Have you heard of it? A privacy move on top of your apology and retraction could differentiate your company as the privacy aware alternative, much like DuckDuckGo has made privacy its key differentiator, or, if you need a stronger financially motivating example, much like Apple is touting privacy in all that they do.

I appreciate your direct honesty here and elsewhere, but I—and likely much of your core market—feel that leverage of opt-out and old customer data to get critical mass in a pivot to an unrelated business was already unethical. That you’re a recruiter made it inexcusable but it was never a idea that was respectful to your users to begin with.

Dude, you were going to use us to publicly endorse your new platform via usage and give it immediate legitimacy, without our consent. Don’t you get that’s what “critical mass through public profiles” means? People join because people are already there?

This is probably the post that disturbs me most of what I’ve read, for simply ignoring that the decision was problematic on multiple levels. Either you’re still not completely getting it or this is disingenuous, and neither option is comforting.

And trying to be charitable as possible here, it’s very easy to take your clinical recounting as being cavalier in its precision. I don’t think we’re all necessarily far enough from the situation yet that you should treat it as the distant past when discussing it. You still have my data, at least for the moment, and it’s still an ongoing concern.

How about the dark patterns you employed on the opt-out?

No, they really aren't. Some of the reported patterns probably aren't even legal in large parts of the world today.

Not that it would matter if they were. Other people doing nasty things is no excuse for doing them yourself as well.

The hell they are.

Are you the only person working there? Did no one else say anything about this? It seems impossible given the huge backlash that absolutely no one at Triplebyte stood up and said "this is a mistake".