Remix clone Hacker News

Also, how identifiable is the data? Can a (US state) government agency subpoena data for individual users?

Does the app/company fall under HIPAA regulation? If it does, what security & privacy measures are in place to guarantee compliance? If it does not, what security & privacy measures are in place to prevent government fishing expeditions?

Finally, what security & privacy measures are in place to prevent app developer having a change of heart about selling the data? What if, say, United Healthcare offers to buy the app and the data for $1B?

▲ bhpreece 9 days ago | parent [-]

> app developer having a change of heart

Yes. Two features high on my list of todos: 1) download all your data; 2) delete all data from the site.

The second is a bit more complicated, since multiple family members may have access to the same data, and may have different opinions on deleting it. I'll work it out.

Otherwise, you have only my integrity. I'm not looking to sell it, but I would love to hand this over to someone with more resources and bigger pockets. If I ever do, I would want those reassurances from them first, and I would definitely give all users fair warning, so they can pull out if they don't have the same confidence I do.

▲ ygjb 9 days ago | parent [-]

> The second is a bit more complicated, since multiple family members may have access to the same data, and may have different opinions on deleting it. I'll work it out.

I know it's been said elsewhere, but you need a lawyer. This isn't something for you to work out, it's something for you to clearly understand your legal obligations, and what your exposure is based on which jurisdictions a user might log in from.

▲ klibertp 8 days ago | parent | next [-]

As someone under civil law jurisdiction, I have a hard time parsing this:

> This isn't something for you to work out, it's something for you to clearly understand your legal obligations

Like, is it really impossible to "understand your legal obligations" without help from a lawyer? Is it supposed to be like that? Why? Are the laws explicitly written to be impossible to understand if you're not a lawyer?

I might have lucked out, but in the few instances where I had doubts, just reading the relevant code gave me all the advice I needed. They are written to be clear and unambiguous as much as possible - in effect, they're tedious and wordy but perfectly understandable. It's easy to recognize the complex or unclear parts because they really stand out from the rest - and that's when you ask a lawyer.

Of course, if there's a significant penalty or otherwise stakes are high, consulting with a lawyer is a good idea. But the notion of "the people" only ever interacting with "the law" through intermediaries is... strange? Then again, you don't generally risk being shot in the head for arguing with a policeman here, which might or might not be a separate issue.

▲ netdevphoenix 8 days ago | parent | next [-]

You can't possibly pretend to understand the laws from every single country. That is the reason why you need a lawyer. This app targets all countries in the world. Even if it was just for the US, you would need one.

▲

klibertp 8 days ago | parent [-]

Well, obviously, I can't even read the codes of other countries! Even if I could, I wouldn't trust myself to understand them - cultural context matters for understanding. Like, how much "must" is there in "should" and similar. I'm asking more about your local laws (so, state + federal, in the US?) - obviously, if you need to cover multiple jurisdictions, that's a pain better outsourced to specialists.

	▲	netdevphoenix 8 days ago \| parent [-]
		There are lots of EU folks in here

▲ ygjb 8 days ago | parent | prev [-]

This service is currently running, in production, in the United States, and is missing key features that are regulatory or legal requirements. I won't enumerate them because I work in security, not privacy or compliance (although those are features that require strong security and I often support related projects).

The app is designed to allow sharing of personally identifiable information, and apparently doesn't distinguish regions, age, etc.

Assuming OP is American, and hosting the service in the US, and given the target audience and proposed use case, I can think of a couple of regulations that apply:

  FTC Act
  COPPPA
  CCPA
  All of the privacy laws documented here:   https://iapp.org/resources/article/us-state-privacy-legislation-tracker/

In addition, if a Canadian user signs up, then PIPEDA, and various other regulations come into play.

If an EU user signs up, then obligations must be met under the FTC's Data Privacy Framework and compliance with various EU and national regulations come into play.

It's not impossible for someone to adhere to all of the laws, it's just a full time job to do it. It's probably not reasonable for a single person to build and operate a service with the privacy and security requirements and claims that the author of KatesApp makes, and meet the compliance requirements. It is abundantly clear to anyone who works in privacy or security that the website doesn't meet the bare minimum requirements, and has very little standing to defend itself.

For reference for anyone who hasn't signed up for it, there is no terms of service, and no privacy policy.

The service includes features to allow uploading of data related to:

  Prescriptions - medication, dosage, instructions, prescriber, and pharmacy
  Medical Appointments - who (presumably the medical professional), date/time, location, and reason for medical appointment
  Doctors - a list of doctors, clinic, contact info
  Upload files, with this helpful list of suggestions of medical records to upload:
   - insurance information
   - advanced directives or DNR/DNI
   - a copy of your vaccination card
   - lab test results, doctors' reports, x-ray, MRI, and CT    - scans, or other images
   - voice recordings of visits with the doctor or other providers
   - self-monitoring logs (sleep, diet, exercise, etc.)

There are logs to show who created a data element under each of those types of records, but I didn't test the site deeply enough to determine if there are any audit controls or logs that are visible to users on who accessed what, but the privilege system implemented is rudimentary, and is fundamentally weak due to the fact that user accounts are unverified.

Anyone can sign up and create and share files and resources using this service. From the main public page, the author requires a signup code, but signing up from the HN link on the post bypasses this. There is no validation of who the user is, no confirmation that the person who signed up owns the account, or options to delete my test account or data. There are no controls that appear to limit what might be uploaded other than file size.

As of right now, this site is in violation of Canadian law and EU laws regulations. I assume it is also in violation of American laws and regulations.

I understand what the author is attempting to do, and why they are doing it, and they are deserving of empathy (and in my other comment I provided them a road map to improve some of the security issues on the site), but launching a website into production that gathers this data, in the United States is not only unwise, it is probably negligent, and it's reasonable to expect that someone could sue the owner of the application.

From a user privacy and security perspective, a user of this service would quite literally have more protections and controls using a google spreadsheet or shared folder to store and share these documents.

▲

klibertp 8 days ago | parent [-]

For the record: I don't disagree with anything above.

My question was more about whether you need a lawyer to know you need a privacy policy... It was tangential, admittedly; sorry about that.

To make the direction of the tangent clearer (and please ignore it if it distracts from the main discussion too much): I'm in the EU, and I know that I'd need to read GDPR[1] before letting people see such an app. I haven't read it - I quite possibly would give up at Act 4 and decide I do need a lawyer. But my first instinct would be to go read the Regulation itself.

[1] Actually, RODO (official translation): https://gdpr.pl/baza-wiedzy/akty-prawne/interaktywny-tekst-g...

	▲	ygjb 7 days ago \| parent [-]
		A side effect of my career is that I have been in compliance adjacent roles for 20 years or so, and as a result I have read most of the related regulations. I still defer to a lawyer for actual opinions, but have frequently had to explain the technical implications of regulations to lawyers. The bottom line is that the regulation is not a technical specification, it is a legal document, and parsing a legal document requires both the ability to read the regulation, and also to reason by applying the jurisprudence that is specific to the jurisdiction for the regualtion. Essentially, interpreting the law and translating it into requirements requires the ability to both outline the technical requirements and understand what is required to make the implementation legally defensible. A good example of this is data deletion under GDPR. The expectation of the law is that when you get a deletion request, you will delete the data. In practice, deleting data is hard, unless you build your backup mechanisms to allow deletion of individual fields. With that in mind, companies meet this requirement by implementing a deletion scheme for production systems, and a mechanism such that datasets marked for deletion are logged, and when a restore from backup is performed, the restoration process references those deletion logs to ensure that deleted records are not restored. This, technically speaking, does not result in proper deletion of the data, but it has passed audits under data deletion regulations (Disclaimer: this is based on public documents detailing data deletion requirements, not my work directly. Consult your lawyer, I am not a lawyer, and I am not on your compliance or security team and this is not a recommendation).

▲ bhpreece 8 days ago | parent | prev [-]

> you need a lawyer

Legal advice is part of working it out.