While your point is extremely valid, I think it's interesting how different the reaction would have been to a fun tool like this 15 years ago. I doubt this would be the top comment, which makes me wonder how many startups that grew from fly-by-night experiments into giant companies then would no longer be possible now due to everyone's hyper-sensitivity and risk aversion around anything tech-related (which again, is certainly valid).
Makes me wonder if this cycle of internet innovation is over, and whether we're now going to be subject to 50+ years of stagnation and increasing regulation while the more risk-averse personality types start dominating. Similar to what happened in the automative industry -- think of the insanity and lack of concern for safety that went on at auto companies in 1920s Detroit that also simultaneously allowed for the core innovation and fast iteration in automotive to happen.
I think it's interesting how different the reaction would have been to a fun tool like this 15 years ago.
My guess would be, even more "do not want". 15 years ago, "cloud" was not even really a thing, and many were understandably very averse to it when it was introduced. If anything, the megacorps have only convinced us to give up more of our privacy since then.
I have the complete opposite impression. Sure, Facebook an co. do partially depend on people oversharing. But people being careful about their data have seriously turned down their expectations. 10-15 years ago it would be a huge scandal if some software phoned home your software configuration. Today people are ok with unique advertising IDs.
Some say data protection today inhibits development. I do not think there is much merit to arguments of this kind.
I don't even believe the most important innovations wouldn't have been possible with more data protection at all and that includes huge datasets to feed AI.
Maybe the market for data being sold would be smaller. But that isn't innovation really.
Dude. Do you realize how many companies (of all sizes) use things like Trello, putting proprietary information into a free website that can do anything it wants with the data? Meetings are barely the tip of the iceberg.
In the same vein, it's very funny to me how many people are feeding proprietary information to LLMs without giving a damn about their employer's stance on data privacy.
Why wouldn't people do this? Employees are there to:
- Collect a paycheck
- Enjoy their job as much as the employer will let them
- Progress in their career
In 2023, there is usually zero loyalty in either direction. Much of management is about how you get people who fundamentally don't care about you (beyond the above) to do something in your interest.
This goes all the way up to most CEOs, so "your interest" means the CEO's interest (while not being fired by the Board).
Ethically speaking, you owe your employer the labor you promised for the wages agreed on. If they ask you to care about a data policy, and they're paying you to care, and you took the money, then you should care.
Morally speaking, you can decide that the employer doesn't have loyalty to you, so you won't have loyalty to the employer. But if that's your morality, then there is no rationale for being either loyal or disloyal, because you'll just mirror what someone else does. This makes the decision less meaningful than tossing a coin; it's a morality of randomness, which is dysfunctional and anti-social. It's better to live your own principles (such as loyalty) regardless of whether someone gives you the same back.
Practically speaking, doing your job the way your job wants you to do it (caring about data privacy) helps you in your career and improves the business, and improving the business keeps you in a job and again helps your career.
It's also a quarter of your life. Don't you want to do your job as well as you can, so that all that time wasn't a waste?
Your employer is a corporation, not a human. Corporations are an abstraction. There are two ethical perspectives one can take:
1) Mutual loyalty. This changed in the eighties, as jobs became transactional. Typical SWE tenure is three years today, and human resources are treated as just that, resources.
2) Improving the world. Would you rather individuals act in the interests of Shell Oil, Phillip Morris, Microsoft, Lockheed-Martin, or in the interests of society as a whole? Why do you care that a particular corporation survives or dies, rather than everyone being better off? If Google is replaced by DuckDuckGo or Bing, and customers / investors / employees switch over, what's the moral value of that?
It makes rational sense to do your job as well as you can, but "as well as you can" isn't defined the same as "to the benefit of maximizing shareholder value."
Most people I know switch viewpoints after a decade or two in industry. It takes an event or understanding the internals of corporations well enough.
As a footnote, "doing your job the way your job wants you to do it" doesn't even make sense. A corporation doesn't want anything. It's a collection of individuals. Your boss might want something, the CEO might want something different, yet a different thing might be in the interests of shareholder value, something completely different in the interests of customers, and a policy document stored on the intranet might dictate something yet different.
Loyalty doesn't solely mean staying at one job forever. You can be loyal to the terms of your employment and the expectations therein and still change jobs when it's in your best interest. You can also show loyalty later by refusing to share sensitive details about your past employer to a competitor, or referring people looking for a job.
Acting in the interests of a corporate entity and the interests of society aren't mutually exclusive. It's extremely beneficial to society for ethical people to work at large corporations to ensure the corporation does not harm society.
Well clearly a corporation does want things, as a corporation is a capitalist entity. It wants to increase its profits and maximize shareholder value. The rules, regulations and bylaws of that corporation are what it wants executed by its employees (and which you are contractually obligated to comply with).
Doing one's job as well as one can means weighing many different competing forces and making the best choice you can. The same happens in your own personal life. Do you eat an entire pizza every night because it's tasty, or do you moderate how much pizza you eat to stay healthy? These are two competing interests (your tastebuds vs your health) that you have to juggle and make the best decision you can.
What a bleak view. This is not my experience at all and doesn't match that of most of my friends either. Many have been loyal to their employer for years, and it goes the other way around as well.
True. And it does happen. But I don't think it happens at the scale the post I replied to seems to suggest. I hear about it sometimes, but not so often that it would be an endemic thing that has to be assumed to be the default in 2023.
Actively assisting a crime is very different than passively doing something a little wreckless.
Do you think contractors shred plans of your house after you hire them for a remodel? Or do they just throw them away in a dumpster, with your address on them, behind their offices.
Work ethics dictate a duty to other humans, not to corporations.
The two are sometimes the same, and sometimes very different. To the plumber point, if you work for a plumbing corporation which requires you to up-sell unneeded repairs, you have no ethical obligation to do so, and indeed, you have an ethical obligation to subvert that particular requirement.
On the other hand, you do have a duty to do plumbing right.
I'm lucky because at the moment I work at a public project that is meant to be public and there is no issue at all with checking an LLM.
That said, lately I have favored Kagi FastGPT for two (three) reasons:
- I trust Kagi a magnitude more (or even more) than I trust any FAANG company except Apple [1][2].
- It seems to be way more up to date.
- (It seems a bit less shy.)
[1]: Why? Sound business plan, incentives align.
[2]: Does it mean I trust them? No, that would have meant I hadn't learned a thing from WhatsApp. And no, after the photo snooping stunt from Apple a couple of years ago I don't trust them either, I only consider them my best option at the moment.
I'd appreciate it if you could elaborate on where your trust for Kagi comes from? I'm baffled that an ex-GoDaddy employee reselling Bing search results at a premium, with a history of "attracting customers at one price, then increasing the price substantially" (I won't use the legal term, as IANAL), who flags HN posts bringing these facts to the public's attention, has generated so much enthusiasm here. Maybe I missed something?
Quite true, but "bait and switch" is an actual legal standard that Kagi likely technically sidestepped, given that (for now) he's still in business. I want to make sure my posts are factual, and I'm not even sure which jurisdiction Kagi operates in, so I won't speculate as to whether the deception technically reached the level of fraud, even though the phrase "bait and switch" is commonly used by laypeople to refer to non-criminal types of deception. Nevertheless, it's fascinating to see "Kagi" and "trust" in the same sentence, and I wonder if this trustworthiness was actually demonstrated somehow. It's more likely we're witnessing some kind of cognitive bias like sunk cost fallacy.
> I'd appreciate it if you could elaborate on where your trust for Kagi comes from?
As written above: "Sound business plan, incentives align."
> reselling Bing search results at a premium,
Should I also refuse to deal with ex-Facebook employees? Ex-Google employees?
These two companies has created a lot more hassle/stress/worries in my life than Godaddy.
> reselling Bing search results at a premium,
With the value add he offers it makes it a great deal for me. I don't care if other make money on me, even lots of money, as long as it is a good deal for me.
In fact, I actually see it as good sign if people make money on the services they provide me, as it will both incentivize them to continue providing these services as well as encouraging others to start competing providers.
> with a history of "attracting customers at one price, then increasing the price substantially"
I got in at an really low price and got grandfathered into a deal that is still the best in the market. They have announced the change in a clear way and since I was free to cancel anytime I wanted I cannot complain.
Had I been tied to the service somehow I would probably have been annoyed even if the service was the same and the price hike was the same, but I wasn't and I find this to be within expectations for an early stage start up.
> who flags HN posts bringing these facts to the public's attention
I'm not aware of this. Would you care to link some sources?
If not I would just expect it was a totally unreasonable post and some happy customer like me flagged it. (And on a side note: While non YC companies aren't bound to YC standards I really hope most companies who frequent HN stick to the standard of not flagging complaints against themselves.)
Edit:
> has generated so much enthusiasm here. Maybe I missed something?
For some of us, a working search engine can save us significant amount of time every day. After first having had a working search engine for years, then lost it and struggled for years with workarounds, I'd say my enthusiasm is rather understandable.
And I know this is not everyone's experience, but with my search patterns, and in the bucket Google has put my account, I get irrelevant results all the time and I get irrelevant and insulting ads all the time.
Thank you for the thoughtful response and useful info. I don't have visibility into who actually flags posts, but you could very well be correct. It's concerning to me that people find value in this product, but I'm glad you're enjoying it.
Not sure why Trello was picked as an example. Trello respects the privacy of its customers. It does not profit from collecting user information. Private company data remains private in Trello, even if the company doesn’t pay. Data is not shared and cannot be freely accessed by employees.
Their terms may have changed after they were acquired, I dunno. But Atlassian has something like two dozen different legal documents covering their software. How do you know what they do/don't do until you've had your legal department vet it?
As a random example: Trello can list any customer in their promotional materials (you have to dig through the legal docs to find the opt-out email). As the CEO of your own company, how would you like to see your company listed in a Trello ad when you're trying to do business with a Trello competitor, or gain a customer who competes with Trello?
Point being: employees use 3rd parties all the time in ways they shouldn't, often leaking a lot more data than meetings. It's why DLP is so popular.
Exactly, which is why you need to consider this stuff and not use those types of services if you have actual confidential data. Find a provider with clear contracts that prevent these types of changes. Self host. Whatever, just make sure to pay actual attention to what you're doing.
Trello is owned by Atlassian. Not saying it's impossible, but they'd be shooting themselves in the foot big time if they pulled some shady shit that alienated their corporate user base.
I'd imagine they offer Trello for free to entice you to start paying for Jira (or god forbid, Confluence).
Leaking user data (or "anonymising" it and then selling it) doesn't alienate a corporate userbase, because corporations broadly do not care at all that user data gets leaked. Unless it materially affects their income, this is something that is ignored.
I work for a GMP manufacturer of pharmaceuticals and they use the free version of Trello and put tons of proprietary client information in Trello. Each client is a different company and they are never supposed to see data from the other one. It’s an absolutely insane thing to do in my opinion. I’m beginning to see why we are losing clients.
why is open source different? you are either hosting your own service instance or you are running something you dont control with no hard guarantee that the code matches what is running. (not to mention compilation env differences and other intermediate possibilities)
Well, with private/company data, I for sure would skim the source and keep some network inspector open if I didn't have sufficient grounds to trust the app.
It's not black-and-white for me, more like an intuitive estimate of probability of mishandling data, colored by relevant policies. But some specific examples from work:
- I wouldn't use Trello or GSuite without clearing it with corporate; however, I would still trust the two much more than a random Tinder for Meetings app, because the two are well-known multinationals (read: stationary targets for lawsuits), while that Tinder for Meetings thing is a small thing, and could easily be a scam / data exfil attempt by someone who'll disappear the next day, never to be found;
- I use O365 tools, because corporate has signed appropriate deals with Microsoft and I can safely assume those tools are OK to use;
- I'm not worried about third-party packages from MELPA exfiltrating proprietary data via my Emacs, because of a combination of Free Software culture, Open Source culture, Emacs being niche, and this never happening before to my knowledge;
- I am worried about third-party extensions to VS Code, because it's more mainstream software culture, has mass appeal meaning it's a good target for scammers, and the entire ecosystem is thoroughly infused with analytics and surveillance bullshit;
- I use ChatGPT for various things (via API, through alternative frontend), but I do not use it for generic, non-company specific things, always triple-checking that I'm not accidentally revealing any IP; this is in line with recent company policies;
Accountants are hired under confidentiality agreements. Connecting random third parties to your systems that have "we are allowed to do anything we want at any time" agreements is kind of the exact opposite of that.
As others said, accountants are hired under confidentiality agreements. What that means is, should said accountant breach my trust, they're an easy target to hit with a lawsuit. The possibility discourages scammy behavior and establishes some baseline trust.
Big corporations are also good targets for lawsuits - they may not be easy, but they are stationary, and if you have a good case, chances are many other people have one too. This is, again, establishing some baseline of trust, even in absence of a proper business contact.
Random SaaS / fresh startups? They're a highly-mobile targets. There's a good chance they may close shop and disappear overnight. There is no baseline of trust there, and much more thorough due diligence is required.
Confidentiality agreements aside, the scale isn't the same.
Accountants have tens of clients, online apps have thousands or millions. For an app, the relative benefit from skimming a bit off every client is higher, the relative cost of losing one client who notices is lower.
There is a regulatory body for CPAs, which include things like ethics. There are "generally accepted accounting practices" (GAAP) which are adopted by regulatory bodies like the SEC and IRS. There are laws that are related to all of the above.
Point is, my dealings with my accountant(s) is highly regulated, and there is expectations of confidentiality, trust, and privacy -- with rules and laws to back that up.
Not the case with some random app handling your corporate data. Plus Outlook and other calendars integrate with many other systems, and there are a lot of nasty hacks if you can get someone's email. Lotta risk for negligible gain.
Definitely totally 100% unrelated, but do people notice that their security teams often focus on minuscule unlikely scenarios instead of potentially-company-ending bugs and exploits?
Things like your MacOS install being on 12.3.1 instead of 12.3.2, blindly listing off AWS/GCP recommendations without any consideration to how the service is implemented and/or how the infrastructure is used, or making engineering teams jump through seventeen hoops to deprecate an endpoint..... all while there's like a SQL injection in the primary public-facing customer API or something.
Security teams focus on requirements and objectives which are set by far removed entities and at vastly different generality and abstraction levels, often with objectives other than "make sure we and our customers don't get hacked", such as limiting legal liability and navigating a complex landscape of regulation and best-practice recommendations, ignoring which can also lead to legal liability. It should be no surprise that these have little overlap with actual security problems arising in their particular context.
A good security team will manage to find the time to also identify and address the actual concrete security issues.
Yes same issue in all my jobs. I've found that security and compliance standards for technology companies are created and maintained by accountants, not engineers. In a way this is good because if the engineers fix "the real issues" and the accountants focus on the "generic list that doesn't matter", you still end up catching some different things. Problem is the amount of fake work, as well as slowdowns created in exchange for no extra security.
We have to have some level of trust. Otherwise we will need to manually and personally verify each line of each software that we use. And unfortunately this is impossible.
This is no different than using Reclaim.ai or Calendly with your work calendar. Obviously you should do your diligence with what software you give access to your calendar, but this likely isn't the first SaaS that has access these days...
> Your alarm bells should be going off at that point.
Whenever the erosion of privacy comes up, folks here point to regular folk being ambivalent until their identity is stolen. But even among the tech literate? Chill, don't worry, everybody is reading your work email!
If you like the idea of swiping left on meetings to cancel them then you're going to have to either pray someone makes a privacy respecting version of this that meets your standards (or make it yourself) or give up some level of privacy to use someone else's app and take the good with the bad.
Does Privacy Policy even matter? It feels like those walls of texts are a kind of "privacy theater" to show users that the company has their shit together.
I'm wondering how many Privacy Policies are read by at least on employee of the company, and how many are copy-pasted from the competitor's web.
In the U.S. anyway privacy policies identify the company doing business, provide contact information and are legally enforceable by the FTC and states.
Microsoft, who provides our mail and calendar service, has a tool for this available in Office 365. So no need to connect an outside service. Otherwise, self-hosting is an option. Or you make the decision that the risk of using a third party is alright in your business and do that.
I get it - you’re mocking the parent’s framing of this as a security issue.
Perhaps it isn’t an issue for you, but in case it’s not obvious, calendar entry titles and descriptions can (and have) contained confidential information that would present various forms of business risk if leaked. BigCo corporate IT policy often forbids placing such information on untrusted third-party hardware/software/services.
Makes me wonder if this cycle of internet innovation is over, and whether we're now going to be subject to 50+ years of stagnation and increasing regulation while the more risk-averse personality types start dominating. Similar to what happened in the automative industry -- think of the insanity and lack of concern for safety that went on at auto companies in 1920s Detroit that also simultaneously allowed for the core innovation and fast iteration in automotive to happen.