> The second is a bit more complicated, since multiple family members may have access to the same data, and may have different opinions on deleting it. I'll work it out.
I know it's been said elsewhere, but you need a lawyer. This isn't something for you to work out, it's something for you to clearly understand your legal obligations, and what your exposure is based on which jurisdictions a user might log in from.
You can't possibly pretend to understand the laws from every single country. That is the reason why you need a lawyer. This app targets all countries in the world. Even if it was just for the US, you would need one.
Well, obviously, I can't even read the codes of other countries! Even if I could, I wouldn't trust myself to understand them - cultural context matters for understanding. Like, how much "must" is there in "should" and similar. I'm asking more about your local laws (so, state + federal, in the US?) - obviously, if you need to cover multiple jurisdictions, that's a pain better outsourced to specialists.
This service is currently running, in production, in the United States, and is missing key features that are regulatory or legal requirements. I won't enumerate them because I work in security, not privacy or compliance (although those are features that require strong security and I often support related projects).
The app is designed to allow sharing of personally identifiable information, and apparently doesn't distinguish regions, age, etc.
Assuming OP is American, and hosting the service in the US, and given the target audience and proposed use case, I can think of a couple of regulations that apply:
FTC Act
COPPPA
CCPA
All of the privacy laws documented here: https://iapp.org/resources/article/us-state-privacy-legislation-tracker/
If an EU user signs up, then obligations must be met under the FTC's Data Privacy Framework and compliance with various EU and national regulations come into play.
It's not impossible for someone to adhere to all of the laws, it's just a full time job to do it. It's probably not reasonable for a single person to build and operate a service with the privacy and security requirements and claims that the author of KatesApp makes, and meet the compliance requirements. It is abundantly clear to anyone who works in privacy or security that the website doesn't meet the bare minimum requirements, and has very little standing to defend itself.
For reference for anyone who hasn't signed up for it, there is no terms of service, and no privacy policy.
The service includes features to allow uploading of data related to:
Prescriptions - medication, dosage, instructions, prescriber, and pharmacy
Medical Appointments - who (presumably the medical professional), date/time, location, and reason for medical appointment
Doctors - a list of doctors, clinic, contact info
Upload files, with this helpful list of suggestions of medical records to upload:
- insurance information
- advanced directives or DNR/DNI
- a copy of your vaccination card
- lab test results, doctors' reports, x-ray, MRI, and CT - scans, or other images
- voice recordings of visits with the doctor or other providers
- self-monitoring logs (sleep, diet, exercise, etc.)
Anyone can sign up and create and share files and resources using this service. From the main public page, the author requires a signup code, but signing up from the HN link on the post bypasses this. There is no validation of who the user is, no confirmation that the person who signed up owns the account, or options to delete my test account or data. There are no controls that appear to limit what might be uploaded other than file size.
As of right now, this site is in violation of Canadian law and EU laws regulations. I assume it is also in violation of American laws and regulations.
I understand what the author is attempting to do, and why they are doing it, and they are deserving of empathy (and in my other comment I provided them a road map to improve some of the security issues on the site), but launching a website into production that gathers this data, in the United States is not only unwise, it is probably negligent, and it's reasonable to expect that someone could sue the owner of the application.
From a user privacy and security perspective, a user of this service would quite literally have more protections and controls using a google spreadsheet or shared folder to store and share these documents.
For the record: I don't disagree with anything above.
My question was more about whether you need a lawyer to know you need a privacy policy... It was tangential, admittedly; sorry about that.
To make the direction of the tangent clearer (and please ignore it if it distracts from the main discussion too much): I'm in the EU, and I know that I'd need to read GDPR[1] before letting people see such an app. I haven't read it - I quite possibly would give up at Act 4 and decide I do need a lawyer. But my first instinct would be to go read the Regulation itself.
[1] Actually, RODO (official translation): https://gdpr.pl/baza-wiedzy/akty-prawne/interaktywny-tekst-g...
A side effect of my career is that I have been in compliance adjacent roles for 20 years or so, and as a result I have read most of the related regulations. I still defer to a lawyer for actual opinions, but have frequently had to explain the technical implications of regulations to lawyers.
The bottom line is that the regulation is not a technical specification, it is a legal document, and parsing a legal document requires both the ability to read the regulation, and also to reason by applying the jurisprudence that is specific to the jurisdiction for the regualtion. Essentially, interpreting the law and translating it into requirements requires the ability to both outline the technical requirements and understand what is required to make the implementation legally defensible.
A good example of this is data deletion under GDPR. The expectation of the law is that when you get a deletion request, you will delete the data. In practice, deleting data is hard, unless you build your backup mechanisms to allow deletion of individual fields. With that in mind, companies meet this requirement by implementing a deletion scheme for production systems, and a mechanism such that datasets marked for deletion are logged, and when a restore from backup is performed, the restoration process references those deletion logs to ensure that deleted records are not restored. This, technically speaking, does not result in proper deletion of the data, but it has passed audits under data deletion regulations (Disclaimer: this is based on public documents detailing data deletion requirements, not my work directly. Consult your lawyer, I am not a lawyer, and I am not on your compliance or security team and this is not a recommendation).
As someone under civil law jurisdiction, I have a hard time parsing this:
> This isn't something for you to work out, it's something for you to clearly understand your legal obligations
Like, is it really impossible to "understand your legal obligations" without help from a lawyer? Is it supposed to be like that? Why? Are the laws explicitly written to be impossible to understand if you're not a lawyer?
I might have lucked out, but in the few instances where I had doubts, just reading the relevant code gave me all the advice I needed. They are written to be clear and unambiguous as much as possible - in effect, they're tedious and wordy but perfectly understandable. It's easy to recognize the complex or unclear parts because they really stand out from the rest - and that's when you ask a lawyer.
Of course, if there's a significant penalty or otherwise stakes are high, consulting with a lawyer is a good idea. But the notion of "the people" only ever interacting with "the law" through intermediaries is... strange? Then again, you don't generally risk being shot in the head for arguing with a policeman here, which might or might not be a separate issue.