Our product is ruining users privacy, without telling them [on hold]
up vote
65
down vote
favorite
The current start-up I'm working with for now is obviously a threat for its users privacy. The product we're producing (which I'm involved in a HUGE part of it) records the user contacts. It's stated in the Privacy Policy that they're being recorded for "the sake of usability and ease of access" and "they can erased by user request". However, even if a person requests us to, all of his/her contacts are being soft-deleted without telling them.
It gets worse that we're also logging the user location history, without stating it in the privacy policy. I told them to state this, but they just ignore me.
The only way I had, was to tell my close friends and family to not to install this spyware.
What should I do? Do I have to concern about being accused by the government?
software-industry privacy
edited 17 hours ago
David K
23.2k1481118
asked 17 hours ago
ehsaan
25124
New contributor
ehsaan is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
put on hold as off-topic by gnat, solarflare, Monica Cellio♦ 3 hours ago
This question appears to be off-topic. The users who voted to close gave these specific reasons:
- "Questions require a goal that we can address. Rather than explaining the difficulties of your situation, explain what you want to do to make it better. For more information, see this meta post." – Monica Cellio
- "Questions seeking advice on company-specific regulations, agreements, or policies should be directed to your manager or HR department. Questions that address only a specific company or position are of limited use to future visitors. Questions seeking legal advice should be directed to legal professionals. For more information, click here." – gnat, solarflare
If this question can be reworded to fit the rules in the help center, please edit the question.
|
show 3 more comments
up vote
65
down vote
favorite
The current start-up I'm working with for now is obviously a threat for its users privacy. The product we're producing (which I'm involved in a HUGE part of it) records the user contacts. It's stated in the Privacy Policy that they're being recorded for "the sake of usability and ease of access" and "they can erased by user request". However, even if a person requests us to, all of his/her contacts are being soft-deleted without telling them.
It gets worse that we're also logging the user location history, without stating it in the privacy policy. I told them to state this, but they just ignore me.
The only way I had, was to tell my close friends and family to not to install this spyware.
What should I do? Do I have to concern about being accused by the government?
software-industry privacy
edited 17 hours ago
David K
23.2k1481118
asked 17 hours ago
ehsaan
25124
New contributor
ehsaan is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
put on hold as off-topic by gnat, solarflare, Monica Cellio♦ 3 hours ago
This question appears to be off-topic. The users who voted to close gave these specific reasons:
- "Questions require a goal that we can address. Rather than explaining the difficulties of your situation, explain what you want to do to make it better. For more information, see this meta post." – Monica Cellio
- "Questions seeking advice on company-specific regulations, agreements, or policies should be directed to your manager or HR department. Questions that address only a specific company or position are of limited use to future visitors. Questions seeking legal advice should be directed to legal professionals. For more information, click here." – gnat, solarflare
If this question can be reworded to fit the rules in the help center, please edit the question.
9
You don't state where you are... that would help in providing specific advice for this situation.
– Stese
17 hours ago
1
@Stese he can state if the app is available globally or only locally.
– Simon
17 hours ago
131
You should change your picture / user name, dude.
– Roman
17 hours ago
1
"Do I have to concern about being accused by the government?" sounds like asking for legal advice. "What should I do?" is often quoted as an example of a bad question format. I don't want to VTC because I think this is an interesting question, I'm just stuck on how it could be reformatted to keep it clearly valid.
– dwizum
17 hours ago
26
I really hope you are not using your real name and the avatar picture is not your own. Cover your assets and good luck.
– Mindwin
14 hours ago
|
show 3 more comments
up vote
65
down vote
favorite
up vote
65
down vote
favorite
The current start-up I'm working with for now is obviously a threat for its users privacy. The product we're producing (which I'm involved in a HUGE part of it) records the user contacts. It's stated in the Privacy Policy that they're being recorded for "the sake of usability and ease of access" and "they can erased by user request". However, even if a person requests us to, all of his/her contacts are being soft-deleted without telling them.
It gets worse that we're also logging the user location history, without stating it in the privacy policy. I told them to state this, but they just ignore me.
The only way I had, was to tell my close friends and family to not to install this spyware.
What should I do? Do I have to concern about being accused by the government?
software-industry privacy
edited 17 hours ago
David K
23.2k1481118
asked 17 hours ago
ehsaan
25124
New contributor
ehsaan is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
The current start-up I'm working with for now is obviously a threat for its users privacy. The product we're producing (which I'm involved in a HUGE part of it) records the user contacts. It's stated in the Privacy Policy that they're being recorded for "the sake of usability and ease of access" and "they can erased by user request". However, even if a person requests us to, all of his/her contacts are being soft-deleted without telling them.
It gets worse that we're also logging the user location history, without stating it in the privacy policy. I told them to state this, but they just ignore me.
The only way I had, was to tell my close friends and family to not to install this spyware.
What should I do? Do I have to concern about being accused by the government?
software-industry privacy
software-industry privacy
edited 17 hours ago
David K
23.2k1481118
asked 17 hours ago
ehsaan
25124
New contributor
ehsaan is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 17 hours ago
David K
23.2k1481118
asked 17 hours ago
ehsaan
25124
New contributor
ehsaan is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 17 hours ago
David K
23.2k1481118
edited 17 hours ago
David K
23.2k1481118
edited 17 hours ago
David K
23.2k1481118
23.2k1481118
asked 17 hours ago
ehsaan
25124
New contributor
ehsaan is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 17 hours ago
ehsaan
25124
asked 17 hours ago
ehsaan
25124
25124
New contributor
ehsaan is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
ehsaan is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
ehsaan is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
put on hold as off-topic by gnat, solarflare, Monica Cellio♦ 3 hours ago
This question appears to be off-topic. The users who voted to close gave these specific reasons:
- "Questions require a goal that we can address. Rather than explaining the difficulties of your situation, explain what you want to do to make it better. For more information, see this meta post." – Monica Cellio
- "Questions seeking advice on company-specific regulations, agreements, or policies should be directed to your manager or HR department. Questions that address only a specific company or position are of limited use to future visitors. Questions seeking legal advice should be directed to legal professionals. For more information, click here." – gnat, solarflare
If this question can be reworded to fit the rules in the help center, please edit the question.
put on hold as off-topic by gnat, solarflare, Monica Cellio♦ 3 hours ago
This question appears to be off-topic. The users who voted to close gave these specific reasons:
- "Questions require a goal that we can address. Rather than explaining the difficulties of your situation, explain what you want to do to make it better. For more information, see this meta post." – Monica Cellio
- "Questions seeking advice on company-specific regulations, agreements, or policies should be directed to your manager or HR department. Questions that address only a specific company or position are of limited use to future visitors. Questions seeking legal advice should be directed to legal professionals. For more information, click here." – gnat, solarflare
If this question can be reworded to fit the rules in the help center, please edit the question.
9
You don't state where you are... that would help in providing specific advice for this situation.
– Stese
17 hours ago
1
@Stese he can state if the app is available globally or only locally.
– Simon
17 hours ago
131
You should change your picture / user name, dude.
– Roman
17 hours ago
1
"Do I have to concern about being accused by the government?" sounds like asking for legal advice. "What should I do?" is often quoted as an example of a bad question format. I don't want to VTC because I think this is an interesting question, I'm just stuck on how it could be reformatted to keep it clearly valid.
– dwizum
17 hours ago
26
I really hope you are not using your real name and the avatar picture is not your own. Cover your assets and good luck.
– Mindwin
14 hours ago
|
show 3 more comments
9
You don't state where you are... that would help in providing specific advice for this situation.
– Stese
17 hours ago
1
@Stese he can state if the app is available globally or only locally.
– Simon
17 hours ago
131
You should change your picture / user name, dude.
– Roman
17 hours ago
1
"Do I have to concern about being accused by the government?" sounds like asking for legal advice. "What should I do?" is often quoted as an example of a bad question format. I don't want to VTC because I think this is an interesting question, I'm just stuck on how it could be reformatted to keep it clearly valid.
– dwizum
17 hours ago
26
I really hope you are not using your real name and the avatar picture is not your own. Cover your assets and good luck.
– Mindwin
14 hours ago
9
9
You don't state where you are... that would help in providing specific advice for this situation.
– Stese
17 hours ago
You don't state where you are... that would help in providing specific advice for this situation.
– Stese
17 hours ago
1
1
@Stese he can state if the app is available globally or only locally.
– Simon
17 hours ago
@Stese he can state if the app is available globally or only locally.
– Simon
17 hours ago
131
131
You should change your picture / user name, dude.
– Roman
17 hours ago
You should change your picture / user name, dude.
– Roman
17 hours ago
1
1
"Do I have to concern about being accused by the government?" sounds like asking for legal advice. "What should I do?" is often quoted as an example of a bad question format. I don't want to VTC because I think this is an interesting question, I'm just stuck on how it could be reformatted to keep it clearly valid.
– dwizum
17 hours ago
"Do I have to concern about being accused by the government?" sounds like asking for legal advice. "What should I do?" is often quoted as an example of a bad question format. I don't want to VTC because I think this is an interesting question, I'm just stuck on how it could be reformatted to keep it clearly valid.
– dwizum
17 hours ago
26
26
I really hope you are not using your real name and the avatar picture is not your own. Cover your assets and good luck.
– Mindwin
14 hours ago
I really hope you are not using your real name and the avatar picture is not your own. Cover your assets and good luck.
– Mindwin
14 hours ago
|
show 3 more comments
6 Answers
6
active
oldest
votes
up vote
94
down vote
If you don't agree with what the company is doing ethically, then you should probably quit asap.
If you think they are doing something illegal or in breach of regulations, then you may want to consider reporting them to the relevant authorities.
answered 17 hours ago
Time4Tea
3,43331130
13
Reporting can often be done anonymously, or while keeping you name out of it. Do think about the timing though (you leave, they get checked is "odd timing" to say the least).
– Martijn
15 hours ago
2
@Martijn Yes, but if you've already left then what's the issue?
– Tashus
14 hours ago
14
Pissed of previous employers/colleages who take revenge in some unforseen way.
– Martijn
14 hours ago
4
@Adonalsium IANAL; however, I believe an NDA usually protects against someone disclosing specific proprietary information. I would think someone could 'tip off' a regulatory agency to malpractice, without violating an NDA by disclosing any proprietary material.
– Time4Tea
14 hours ago
3
@Time4Tea That's generally supposed to be covered by whistleblower protections. Whether or not it is is... complicated, and you'll probably need to hire a lawyer to get the full answer (they won't be able to answer in the free 30 minute thing that some lawyers have). That said, most NDAs only cover proprietary information, so if you just say "this product has severe privacy violations; it records [blah] and [blah]", that might not fall under your NDA. Depends on the specific wording, of course, but I'm 90% sure it's possible to do. You just might need to be vague.
– Nic Hartley
13 hours ago
|
show 5 more comments
up vote
74
down vote
What I do in such situations. (had a situation where my employer did not want to buy some licenses of software we used commercially)
Step one: Make sure I get my facts straight and have evidence of my claim.
Step two: Make management aware of the Problem. Leave a paper-trail of doing so. Assume no malice and make no accusations. Just describe the Problem and offer a solution.
Step tree: After some time, ask if action has been taken. If not ask for a timeline. Again, leave a paper-trail.
If it gets clear to you no action will be taken, think about
A. Do you want to keep working there?
B. Do you want to / have to report this to the police etc. I´d ask a lawyer about this.
The thinking is (in my jurisdiction, Germany) you have the obligation to protect your employer from harm. You also have the obligation not to break the law. So the first step if your employer is doing something (unintentionally?) unlawful, would be to make them aware of that. If they decide to take no action, and you make their misconduct public, harm is not on you, but on them, since they ignored you.
If you want to keep working there or not is up to you. Either way, be prepared to be fired immediately, especially if they do violate the rules intentionally. An never knowingly contribute to any unlawful conduct yourself.
answered 16 hours ago
Daniel
15.5k93560
About list of things to ask yourself, you should add "C. Do I want the risk of being considered guilty" because OP can no longer claim being ignorant, and if this privacy breach is illegal, he will be the one dev that was knowingly and willingly developing it. One more thing to ask yourself, and your lawyer I guess.
– Mołot
15 hours ago
3
@Mołot: It will be hard to prove that. First, OP is probably not a legal professional and normally he has to trust his employer to get those things sorted out by professionals. Secondly, you´d have to prove that he was actively contributing to the malicious element. Third, as long as the Data does not get used for fraud, it will be hard to proof any harm done by OP. I think, at least in Germany, my approach is pretty safe. Of course IANAL so when in doubt, please get appropriate legal counsel yourself!
– Daniel
15 hours ago
process of proving one way or another can be long, tiring and problematic for career, even if he finally is found innocent... That's why I'd add it as third point to things he should think and talk to his lawyer about.
– Mołot
15 hours ago
3
There are sensible reasons to use soft-delete as the default handling for data, and times when a carefully-written more thorough deletion is required, as here. +1 for step 2 here, making sure that it's not a genuine oversight.
– chrylis
12 hours ago
@Mołot with privacy related stuffs, most things that an app do can be legaled away by disclosing it in the privacy policy or in the UI, in such ways so that the user can make informed decision on whether to use a particular product or feature. During development it is quite reasonable for a developer to assume that what they're developing will be disclosed to users. It's when the app or company deceives or misled the user where this becomes an actual privacy problem.
– Lie Ryan
2 hours ago
add a comment |
up vote
16
down vote
Do I have to concern about being accused by the government?
If you have to ask the question the answer is probably "yes", but I am not a lawyer.
You're deep into "flee right now" territory.
answered 17 hours ago
Dark Matter
2,275514
add a comment |
up vote
8
down vote
Get a lawyer. Yesterday. They can help you navigate local laws. They can tell you if anything you did was complicit or illegal. They can help you mitigate that if you are. And they can help you navigate whistleblowing.
What you need now more than anything is legal help and a well-informed exit strategy.
answered 12 hours ago
bruglesco
1,164319
add a comment |
up vote
5
down vote
You need to quit, and then you need to blow a whistle. Get on Twitter or snitch really hard to whichever government agency would do something about this. Ethics exist for a reason.
answered 15 hours ago
Steve
1,298314
6
If the conduct isn't illegal in OPs country, it could be a violation of the NDA to whistleblow.
– Adonalsium
14 hours ago
1
@Adonalsium: If the conduct isn't illegal in OPs country, than OPs country has corrupted law. (the conduct is illegal due to the false claim in the EULA even if the law would normally permit it)
– Joshua
11 hours ago
5
@Joshua The US has very weak privacy protections, and a false claim in the EULA would probably be actionable rather than criminal. If I were affected, I'd have to show damages in a lawsuit, and that could be difficult. Not that I'm necessarily disagreeing with you.
– David Thornley
10 hours ago
add a comment |
up vote
0
down vote
Why have websites all had popups about cookies for the last year? What is the last Supreme Court ruling in this area? You don't know? Ok. Take some perspective here and embrace the fact that you are not a lawyer, not a compliance officer, and not even very experienced in this sort of thing. Your concerns are fair but you're "in over your head" legally as to what to do.
Harvesting contacts by logging into their email is rude in my opinion, but it's also gold standard - Facebook does it, Linkedin does it, Twitter does it, everybody does it. No legal issue there. You could try to make an issue, but you'll have to "make new law*" in that area, and you would be a legal superhero if you pulled it off.
Deleting the data on request is fair.
"soft delete", that really is a matter of what happens next. It may be reasonable, for load-balancing reasons, to flip a "soft delete" bit, then have a scrubber process run nightly or weekly that looks for accounts with soft-delete set, and does hard-delete on the data. Delaying that delete a few days is also reasonable where users tend to "rage-quit", delete their account and then regret it and want it restored.
As far as logging user location, that is a side-effect of logging IP address, and that is the first thing any web log records; again gold standard. And very helpful for troubleshooting and abuse prevention reasons. If you mean "using the app to get their GPS geolocation" the user consented to that, and that consent is enforced by the phone OS because they know developers can't be trusted.
So when you look at all that in balance, there are obviously a lot of fine distinctions and other gotchas in this entire area of practice. It isn't clear. What's clear is You need to become much more of an expert on these subjects than you presently are.
So instead of asking "How can I report", you should be asking "How can I distinguish exactly what is legal and proper, and what is not?", or on a case by case basis, "My company is doing X. Is that OK?" For this you should be turning to security and privacy experts.
* "make new law" is slang for having a legal case with a unique enough situation that an appeals court decides and makes it precedent. You must a) sue someome, b) have the case turn on a a question not yet resolved in legislative law or case law, c) lose so you can d) appeal the case on up into the appeals system (or win and convince the opponent to appeal), then e) win at appeal, and f) convince the appeals court that their decision is unique and solid enough to publish as a precedent. I know someone who did this; he is an aggressive, malicious [censored] and that's kinda what it takes.
answered 4 hours ago
Harper
2,7811512
add a comment |
6 Answers
6
active
oldest
votes
6 Answers
6
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
94
down vote
If you don't agree with what the company is doing ethically, then you should probably quit asap.
If you think they are doing something illegal or in breach of regulations, then you may want to consider reporting them to the relevant authorities.
answered 17 hours ago
Time4Tea
3,43331130
13
Reporting can often be done anonymously, or while keeping you name out of it. Do think about the timing though (you leave, they get checked is "odd timing" to say the least).
– Martijn
15 hours ago
2
@Martijn Yes, but if you've already left then what's the issue?
– Tashus
14 hours ago
14
Pissed of previous employers/colleages who take revenge in some unforseen way.
– Martijn
14 hours ago
4
@Adonalsium IANAL; however, I believe an NDA usually protects against someone disclosing specific proprietary information. I would think someone could 'tip off' a regulatory agency to malpractice, without violating an NDA by disclosing any proprietary material.
– Time4Tea
14 hours ago
3
@Time4Tea That's generally supposed to be covered by whistleblower protections. Whether or not it is is... complicated, and you'll probably need to hire a lawyer to get the full answer (they won't be able to answer in the free 30 minute thing that some lawyers have). That said, most NDAs only cover proprietary information, so if you just say "this product has severe privacy violations; it records [blah] and [blah]", that might not fall under your NDA. Depends on the specific wording, of course, but I'm 90% sure it's possible to do. You just might need to be vague.
– Nic Hartley
13 hours ago
|
show 5 more comments
up vote
94
down vote
If you don't agree with what the company is doing ethically, then you should probably quit asap.
If you think they are doing something illegal or in breach of regulations, then you may want to consider reporting them to the relevant authorities.
answered 17 hours ago
Time4Tea
3,43331130
13
Reporting can often be done anonymously, or while keeping you name out of it. Do think about the timing though (you leave, they get checked is "odd timing" to say the least).
– Martijn
15 hours ago
2
@Martijn Yes, but if you've already left then what's the issue?
– Tashus
14 hours ago
14
Pissed of previous employers/colleages who take revenge in some unforseen way.
– Martijn
14 hours ago
4
@Adonalsium IANAL; however, I believe an NDA usually protects against someone disclosing specific proprietary information. I would think someone could 'tip off' a regulatory agency to malpractice, without violating an NDA by disclosing any proprietary material.
– Time4Tea
14 hours ago
3
@Time4Tea That's generally supposed to be covered by whistleblower protections. Whether or not it is is... complicated, and you'll probably need to hire a lawyer to get the full answer (they won't be able to answer in the free 30 minute thing that some lawyers have). That said, most NDAs only cover proprietary information, so if you just say "this product has severe privacy violations; it records [blah] and [blah]", that might not fall under your NDA. Depends on the specific wording, of course, but I'm 90% sure it's possible to do. You just might need to be vague.
– Nic Hartley
13 hours ago
|
show 5 more comments
up vote
94
down vote
up vote
94
down vote
If you don't agree with what the company is doing ethically, then you should probably quit asap.
If you think they are doing something illegal or in breach of regulations, then you may want to consider reporting them to the relevant authorities.
answered 17 hours ago
Time4Tea
3,43331130
If you don't agree with what the company is doing ethically, then you should probably quit asap.
If you think they are doing something illegal or in breach of regulations, then you may want to consider reporting them to the relevant authorities.
answered 17 hours ago
Time4Tea
3,43331130
answered 17 hours ago
Time4Tea
3,43331130
answered 17 hours ago
Time4Tea
3,43331130
answered 17 hours ago
Time4Tea
3,43331130
3,43331130
13
Reporting can often be done anonymously, or while keeping you name out of it. Do think about the timing though (you leave, they get checked is "odd timing" to say the least).
– Martijn
15 hours ago
2
@Martijn Yes, but if you've already left then what's the issue?
– Tashus
14 hours ago
14
Pissed of previous employers/colleages who take revenge in some unforseen way.
– Martijn
14 hours ago
4
@Adonalsium IANAL; however, I believe an NDA usually protects against someone disclosing specific proprietary information. I would think someone could 'tip off' a regulatory agency to malpractice, without violating an NDA by disclosing any proprietary material.
– Time4Tea
14 hours ago
3
@Time4Tea That's generally supposed to be covered by whistleblower protections. Whether or not it is is... complicated, and you'll probably need to hire a lawyer to get the full answer (they won't be able to answer in the free 30 minute thing that some lawyers have). That said, most NDAs only cover proprietary information, so if you just say "this product has severe privacy violations; it records [blah] and [blah]", that might not fall under your NDA. Depends on the specific wording, of course, but I'm 90% sure it's possible to do. You just might need to be vague.
– Nic Hartley
13 hours ago
|
show 5 more comments
13
Reporting can often be done anonymously, or while keeping you name out of it. Do think about the timing though (you leave, they get checked is "odd timing" to say the least).
– Martijn
15 hours ago
2
@Martijn Yes, but if you've already left then what's the issue?
– Tashus
14 hours ago
14
Pissed of previous employers/colleages who take revenge in some unforseen way.
– Martijn
14 hours ago
4
@Adonalsium IANAL; however, I believe an NDA usually protects against someone disclosing specific proprietary information. I would think someone could 'tip off' a regulatory agency to malpractice, without violating an NDA by disclosing any proprietary material.
– Time4Tea
14 hours ago
3
@Time4Tea That's generally supposed to be covered by whistleblower protections. Whether or not it is is... complicated, and you'll probably need to hire a lawyer to get the full answer (they won't be able to answer in the free 30 minute thing that some lawyers have). That said, most NDAs only cover proprietary information, so if you just say "this product has severe privacy violations; it records [blah] and [blah]", that might not fall under your NDA. Depends on the specific wording, of course, but I'm 90% sure it's possible to do. You just might need to be vague.
– Nic Hartley
13 hours ago
13
13
Reporting can often be done anonymously, or while keeping you name out of it. Do think about the timing though (you leave, they get checked is "odd timing" to say the least).
– Martijn
15 hours ago
Reporting can often be done anonymously, or while keeping you name out of it. Do think about the timing though (you leave, they get checked is "odd timing" to say the least).
– Martijn
15 hours ago
2
2
@Martijn Yes, but if you've already left then what's the issue?
– Tashus
14 hours ago
@Martijn Yes, but if you've already left then what's the issue?
– Tashus
14 hours ago
14
14
Pissed of previous employers/colleages who take revenge in some unforseen way.
– Martijn
14 hours ago
Pissed of previous employers/colleages who take revenge in some unforseen way.
– Martijn
14 hours ago
4
4
@Adonalsium IANAL; however, I believe an NDA usually protects against someone disclosing specific proprietary information. I would think someone could 'tip off' a regulatory agency to malpractice, without violating an NDA by disclosing any proprietary material.
– Time4Tea
14 hours ago
@Adonalsium IANAL; however, I believe an NDA usually protects against someone disclosing specific proprietary information. I would think someone could 'tip off' a regulatory agency to malpractice, without violating an NDA by disclosing any proprietary material.
– Time4Tea
14 hours ago
3
3
@Time4Tea That's generally supposed to be covered by whistleblower protections. Whether or not it is is... complicated, and you'll probably need to hire a lawyer to get the full answer (they won't be able to answer in the free 30 minute thing that some lawyers have). That said, most NDAs only cover proprietary information, so if you just say "this product has severe privacy violations; it records [blah] and [blah]", that might not fall under your NDA. Depends on the specific wording, of course, but I'm 90% sure it's possible to do. You just might need to be vague.
– Nic Hartley
13 hours ago
@Time4Tea That's generally supposed to be covered by whistleblower protections. Whether or not it is is... complicated, and you'll probably need to hire a lawyer to get the full answer (they won't be able to answer in the free 30 minute thing that some lawyers have). That said, most NDAs only cover proprietary information, so if you just say "this product has severe privacy violations; it records [blah] and [blah]", that might not fall under your NDA. Depends on the specific wording, of course, but I'm 90% sure it's possible to do. You just might need to be vague.
– Nic Hartley
13 hours ago
|
show 5 more comments
up vote
74
down vote
What I do in such situations. (had a situation where my employer did not want to buy some licenses of software we used commercially)
Step one: Make sure I get my facts straight and have evidence of my claim.
Step two: Make management aware of the Problem. Leave a paper-trail of doing so. Assume no malice and make no accusations. Just describe the Problem and offer a solution.
Step tree: After some time, ask if action has been taken. If not ask for a timeline. Again, leave a paper-trail.
If it gets clear to you no action will be taken, think about
A. Do you want to keep working there?
B. Do you want to / have to report this to the police etc. I´d ask a lawyer about this.
The thinking is (in my jurisdiction, Germany) you have the obligation to protect your employer from harm. You also have the obligation not to break the law. So the first step if your employer is doing something (unintentionally?) unlawful, would be to make them aware of that. If they decide to take no action, and you make their misconduct public, harm is not on you, but on them, since they ignored you.
If you want to keep working there or not is up to you. Either way, be prepared to be fired immediately, especially if they do violate the rules intentionally. An never knowingly contribute to any unlawful conduct yourself.
answered 16 hours ago
Daniel
15.5k93560
About list of things to ask yourself, you should add "C. Do I want the risk of being considered guilty" because OP can no longer claim being ignorant, and if this privacy breach is illegal, he will be the one dev that was knowingly and willingly developing it. One more thing to ask yourself, and your lawyer I guess.
– Mołot
15 hours ago
3
@Mołot: It will be hard to prove that. First, OP is probably not a legal professional and normally he has to trust his employer to get those things sorted out by professionals. Secondly, you´d have to prove that he was actively contributing to the malicious element. Third, as long as the Data does not get used for fraud, it will be hard to proof any harm done by OP. I think, at least in Germany, my approach is pretty safe. Of course IANAL so when in doubt, please get appropriate legal counsel yourself!
– Daniel
15 hours ago
process of proving one way or another can be long, tiring and problematic for career, even if he finally is found innocent... That's why I'd add it as third point to things he should think and talk to his lawyer about.
– Mołot
15 hours ago
3
There are sensible reasons to use soft-delete as the default handling for data, and times when a carefully-written more thorough deletion is required, as here. +1 for step 2 here, making sure that it's not a genuine oversight.
– chrylis
12 hours ago
@Mołot with privacy related stuffs, most things that an app do can be legaled away by disclosing it in the privacy policy or in the UI, in such ways so that the user can make informed decision on whether to use a particular product or feature. During development it is quite reasonable for a developer to assume that what they're developing will be disclosed to users. It's when the app or company deceives or misled the user where this becomes an actual privacy problem.
– Lie Ryan
2 hours ago
add a comment |
up vote
74
down vote
What I do in such situations. (had a situation where my employer did not want to buy some licenses of software we used commercially)
Step one: Make sure I get my facts straight and have evidence of my claim.
Step two: Make management aware of the Problem. Leave a paper-trail of doing so. Assume no malice and make no accusations. Just describe the Problem and offer a solution.
Step tree: After some time, ask if action has been taken. If not ask for a timeline. Again, leave a paper-trail.
If it gets clear to you no action will be taken, think about
A. Do you want to keep working there?
B. Do you want to / have to report this to the police etc. I´d ask a lawyer about this.
The thinking is (in my jurisdiction, Germany) you have the obligation to protect your employer from harm. You also have the obligation not to break the law. So the first step if your employer is doing something (unintentionally?) unlawful, would be to make them aware of that. If they decide to take no action, and you make their misconduct public, harm is not on you, but on them, since they ignored you.
If you want to keep working there or not is up to you. Either way, be prepared to be fired immediately, especially if they do violate the rules intentionally. An never knowingly contribute to any unlawful conduct yourself.
answered 16 hours ago
Daniel
15.5k93560
About list of things to ask yourself, you should add "C. Do I want the risk of being considered guilty" because OP can no longer claim being ignorant, and if this privacy breach is illegal, he will be the one dev that was knowingly and willingly developing it. One more thing to ask yourself, and your lawyer I guess.
– Mołot
15 hours ago
3
@Mołot: It will be hard to prove that. First, OP is probably not a legal professional and normally he has to trust his employer to get those things sorted out by professionals. Secondly, you´d have to prove that he was actively contributing to the malicious element. Third, as long as the Data does not get used for fraud, it will be hard to proof any harm done by OP. I think, at least in Germany, my approach is pretty safe. Of course IANAL so when in doubt, please get appropriate legal counsel yourself!
– Daniel
15 hours ago
process of proving one way or another can be long, tiring and problematic for career, even if he finally is found innocent... That's why I'd add it as third point to things he should think and talk to his lawyer about.
– Mołot
15 hours ago
3
There are sensible reasons to use soft-delete as the default handling for data, and times when a carefully-written more thorough deletion is required, as here. +1 for step 2 here, making sure that it's not a genuine oversight.
– chrylis
12 hours ago
@Mołot with privacy related stuffs, most things that an app do can be legaled away by disclosing it in the privacy policy or in the UI, in such ways so that the user can make informed decision on whether to use a particular product or feature. During development it is quite reasonable for a developer to assume that what they're developing will be disclosed to users. It's when the app or company deceives or misled the user where this becomes an actual privacy problem.
– Lie Ryan
2 hours ago
add a comment |
up vote
74
down vote
up vote
74
down vote
What I do in such situations. (had a situation where my employer did not want to buy some licenses of software we used commercially)
Step one: Make sure I get my facts straight and have evidence of my claim.
Step two: Make management aware of the Problem. Leave a paper-trail of doing so. Assume no malice and make no accusations. Just describe the Problem and offer a solution.
Step tree: After some time, ask if action has been taken. If not ask for a timeline. Again, leave a paper-trail.
If it gets clear to you no action will be taken, think about
A. Do you want to keep working there?
B. Do you want to / have to report this to the police etc. I´d ask a lawyer about this.
The thinking is (in my jurisdiction, Germany) you have the obligation to protect your employer from harm. You also have the obligation not to break the law. So the first step if your employer is doing something (unintentionally?) unlawful, would be to make them aware of that. If they decide to take no action, and you make their misconduct public, harm is not on you, but on them, since they ignored you.
If you want to keep working there or not is up to you. Either way, be prepared to be fired immediately, especially if they do violate the rules intentionally. An never knowingly contribute to any unlawful conduct yourself.
answered 16 hours ago
Daniel
15.5k93560
What I do in such situations. (had a situation where my employer did not want to buy some licenses of software we used commercially)
Step one: Make sure I get my facts straight and have evidence of my claim.
Step two: Make management aware of the Problem. Leave a paper-trail of doing so. Assume no malice and make no accusations. Just describe the Problem and offer a solution.
Step tree: After some time, ask if action has been taken. If not ask for a timeline. Again, leave a paper-trail.
If it gets clear to you no action will be taken, think about
A. Do you want to keep working there?
B. Do you want to / have to report this to the police etc. I´d ask a lawyer about this.
The thinking is (in my jurisdiction, Germany) you have the obligation to protect your employer from harm. You also have the obligation not to break the law. So the first step if your employer is doing something (unintentionally?) unlawful, would be to make them aware of that. If they decide to take no action, and you make their misconduct public, harm is not on you, but on them, since they ignored you.
If you want to keep working there or not is up to you. Either way, be prepared to be fired immediately, especially if they do violate the rules intentionally. An never knowingly contribute to any unlawful conduct yourself.
answered 16 hours ago
Daniel
15.5k93560
edited 15 hours ago
answered 16 hours ago
Daniel
15.5k93560
answered 16 hours ago
Daniel
15.5k93560
answered 16 hours ago
Daniel
15.5k93560
15.5k93560
About list of things to ask yourself, you should add "C. Do I want the risk of being considered guilty" because OP can no longer claim being ignorant, and if this privacy breach is illegal, he will be the one dev that was knowingly and willingly developing it. One more thing to ask yourself, and your lawyer I guess.
– Mołot
15 hours ago
3
@Mołot: It will be hard to prove that. First, OP is probably not a legal professional and normally he has to trust his employer to get those things sorted out by professionals. Secondly, you´d have to prove that he was actively contributing to the malicious element. Third, as long as the Data does not get used for fraud, it will be hard to proof any harm done by OP. I think, at least in Germany, my approach is pretty safe. Of course IANAL so when in doubt, please get appropriate legal counsel yourself!
– Daniel
15 hours ago
process of proving one way or another can be long, tiring and problematic for career, even if he finally is found innocent... That's why I'd add it as third point to things he should think and talk to his lawyer about.
– Mołot
15 hours ago
3
There are sensible reasons to use soft-delete as the default handling for data, and times when a carefully-written more thorough deletion is required, as here. +1 for step 2 here, making sure that it's not a genuine oversight.
– chrylis
12 hours ago
@Mołot with privacy related stuffs, most things that an app do can be legaled away by disclosing it in the privacy policy or in the UI, in such ways so that the user can make informed decision on whether to use a particular product or feature. During development it is quite reasonable for a developer to assume that what they're developing will be disclosed to users. It's when the app or company deceives or misled the user where this becomes an actual privacy problem.
– Lie Ryan
2 hours ago
add a comment |
About list of things to ask yourself, you should add "C. Do I want the risk of being considered guilty" because OP can no longer claim being ignorant, and if this privacy breach is illegal, he will be the one dev that was knowingly and willingly developing it. One more thing to ask yourself, and your lawyer I guess.
– Mołot
15 hours ago
3
@Mołot: It will be hard to prove that. First, OP is probably not a legal professional and normally he has to trust his employer to get those things sorted out by professionals. Secondly, you´d have to prove that he was actively contributing to the malicious element. Third, as long as the Data does not get used for fraud, it will be hard to proof any harm done by OP. I think, at least in Germany, my approach is pretty safe. Of course IANAL so when in doubt, please get appropriate legal counsel yourself!
– Daniel
15 hours ago
process of proving one way or another can be long, tiring and problematic for career, even if he finally is found innocent... That's why I'd add it as third point to things he should think and talk to his lawyer about.
– Mołot
15 hours ago
3
There are sensible reasons to use soft-delete as the default handling for data, and times when a carefully-written more thorough deletion is required, as here. +1 for step 2 here, making sure that it's not a genuine oversight.
– chrylis
12 hours ago
@Mołot with privacy related stuffs, most things that an app do can be legaled away by disclosing it in the privacy policy or in the UI, in such ways so that the user can make informed decision on whether to use a particular product or feature. During development it is quite reasonable for a developer to assume that what they're developing will be disclosed to users. It's when the app or company deceives or misled the user where this becomes an actual privacy problem.
– Lie Ryan
2 hours ago
About list of things to ask yourself, you should add "C. Do I want the risk of being considered guilty" because OP can no longer claim being ignorant, and if this privacy breach is illegal, he will be the one dev that was knowingly and willingly developing it. One more thing to ask yourself, and your lawyer I guess.
– Mołot
15 hours ago
About list of things to ask yourself, you should add "C. Do I want the risk of being considered guilty" because OP can no longer claim being ignorant, and if this privacy breach is illegal, he will be the one dev that was knowingly and willingly developing it. One more thing to ask yourself, and your lawyer I guess.
– Mołot
15 hours ago
3
3
@Mołot: It will be hard to prove that. First, OP is probably not a legal professional and normally he has to trust his employer to get those things sorted out by professionals. Secondly, you´d have to prove that he was actively contributing to the malicious element. Third, as long as the Data does not get used for fraud, it will be hard to proof any harm done by OP. I think, at least in Germany, my approach is pretty safe. Of course IANAL so when in doubt, please get appropriate legal counsel yourself!
– Daniel
15 hours ago
@Mołot: It will be hard to prove that. First, OP is probably not a legal professional and normally he has to trust his employer to get those things sorted out by professionals. Secondly, you´d have to prove that he was actively contributing to the malicious element. Third, as long as the Data does not get used for fraud, it will be hard to proof any harm done by OP. I think, at least in Germany, my approach is pretty safe. Of course IANAL so when in doubt, please get appropriate legal counsel yourself!
– Daniel
15 hours ago
process of proving one way or another can be long, tiring and problematic for career, even if he finally is found innocent... That's why I'd add it as third point to things he should think and talk to his lawyer about.
– Mołot
15 hours ago
process of proving one way or another can be long, tiring and problematic for career, even if he finally is found innocent... That's why I'd add it as third point to things he should think and talk to his lawyer about.
– Mołot
15 hours ago
3
3
There are sensible reasons to use soft-delete as the default handling for data, and times when a carefully-written more thorough deletion is required, as here. +1 for step 2 here, making sure that it's not a genuine oversight.
– chrylis
12 hours ago
There are sensible reasons to use soft-delete as the default handling for data, and times when a carefully-written more thorough deletion is required, as here. +1 for step 2 here, making sure that it's not a genuine oversight.
– chrylis
12 hours ago
@Mołot with privacy related stuffs, most things that an app do can be legaled away by disclosing it in the privacy policy or in the UI, in such ways so that the user can make informed decision on whether to use a particular product or feature. During development it is quite reasonable for a developer to assume that what they're developing will be disclosed to users. It's when the app or company deceives or misled the user where this becomes an actual privacy problem.
– Lie Ryan
2 hours ago
@Mołot with privacy related stuffs, most things that an app do can be legaled away by disclosing it in the privacy policy or in the UI, in such ways so that the user can make informed decision on whether to use a particular product or feature. During development it is quite reasonable for a developer to assume that what they're developing will be disclosed to users. It's when the app or company deceives or misled the user where this becomes an actual privacy problem.
– Lie Ryan
2 hours ago
add a comment |
up vote
16
down vote
Do I have to concern about being accused by the government?
If you have to ask the question the answer is probably "yes", but I am not a lawyer.
You're deep into "flee right now" territory.
answered 17 hours ago
Dark Matter
2,275514
add a comment |
up vote
16
down vote
Do I have to concern about being accused by the government?
If you have to ask the question the answer is probably "yes", but I am not a lawyer.
You're deep into "flee right now" territory.
answered 17 hours ago
Dark Matter
2,275514
add a comment |
up vote
16
down vote
up vote
16
down vote
Do I have to concern about being accused by the government?
If you have to ask the question the answer is probably "yes", but I am not a lawyer.
You're deep into "flee right now" territory.
answered 17 hours ago
Dark Matter
2,275514
Do I have to concern about being accused by the government?
If you have to ask the question the answer is probably "yes", but I am not a lawyer.
You're deep into "flee right now" territory.
answered 17 hours ago
Dark Matter
2,275514
answered 17 hours ago
Dark Matter
2,275514
answered 17 hours ago
Dark Matter
2,275514
answered 17 hours ago
Dark Matter
2,275514
2,275514
add a comment |
add a comment |
up vote
8
down vote
Get a lawyer. Yesterday. They can help you navigate local laws. They can tell you if anything you did was complicit or illegal. They can help you mitigate that if you are. And they can help you navigate whistleblowing.
What you need now more than anything is legal help and a well-informed exit strategy.
answered 12 hours ago
bruglesco
1,164319
add a comment |
up vote
8
down vote
Get a lawyer. Yesterday. They can help you navigate local laws. They can tell you if anything you did was complicit or illegal. They can help you mitigate that if you are. And they can help you navigate whistleblowing.
What you need now more than anything is legal help and a well-informed exit strategy.
answered 12 hours ago
bruglesco
1,164319
add a comment |
up vote
8
down vote
up vote
8
down vote
Get a lawyer. Yesterday. They can help you navigate local laws. They can tell you if anything you did was complicit or illegal. They can help you mitigate that if you are. And they can help you navigate whistleblowing.
What you need now more than anything is legal help and a well-informed exit strategy.
answered 12 hours ago
bruglesco
1,164319
Get a lawyer. Yesterday. They can help you navigate local laws. They can tell you if anything you did was complicit or illegal. They can help you mitigate that if you are. And they can help you navigate whistleblowing.
What you need now more than anything is legal help and a well-informed exit strategy.
answered 12 hours ago
bruglesco
1,164319
answered 12 hours ago
bruglesco
1,164319
answered 12 hours ago
bruglesco
1,164319
answered 12 hours ago
bruglesco
1,164319
1,164319
add a comment |
add a comment |
up vote
5
down vote
You need to quit, and then you need to blow a whistle. Get on Twitter or snitch really hard to whichever government agency would do something about this. Ethics exist for a reason.
answered 15 hours ago
Steve
1,298314
6
If the conduct isn't illegal in OPs country, it could be a violation of the NDA to whistleblow.
– Adonalsium
14 hours ago
1
@Adonalsium: If the conduct isn't illegal in OPs country, than OPs country has corrupted law. (the conduct is illegal due to the false claim in the EULA even if the law would normally permit it)
– Joshua
11 hours ago
5
@Joshua The US has very weak privacy protections, and a false claim in the EULA would probably be actionable rather than criminal. If I were affected, I'd have to show damages in a lawsuit, and that could be difficult. Not that I'm necessarily disagreeing with you.
– David Thornley
10 hours ago
add a comment |
up vote
5
down vote
You need to quit, and then you need to blow a whistle. Get on Twitter or snitch really hard to whichever government agency would do something about this. Ethics exist for a reason.
answered 15 hours ago
Steve
1,298314
6
If the conduct isn't illegal in OPs country, it could be a violation of the NDA to whistleblow.
– Adonalsium
14 hours ago
1
@Adonalsium: If the conduct isn't illegal in OPs country, than OPs country has corrupted law. (the conduct is illegal due to the false claim in the EULA even if the law would normally permit it)
– Joshua
11 hours ago
5
@Joshua The US has very weak privacy protections, and a false claim in the EULA would probably be actionable rather than criminal. If I were affected, I'd have to show damages in a lawsuit, and that could be difficult. Not that I'm necessarily disagreeing with you.
– David Thornley
10 hours ago
add a comment |
up vote
5
down vote
up vote
5
down vote
You need to quit, and then you need to blow a whistle. Get on Twitter or snitch really hard to whichever government agency would do something about this. Ethics exist for a reason.
answered 15 hours ago
Steve
1,298314
You need to quit, and then you need to blow a whistle. Get on Twitter or snitch really hard to whichever government agency would do something about this. Ethics exist for a reason.
answered 15 hours ago
Steve
1,298314
answered 15 hours ago
Steve
1,298314
answered 15 hours ago
Steve
1,298314
answered 15 hours ago
Steve
1,298314
1,298314
6
If the conduct isn't illegal in OPs country, it could be a violation of the NDA to whistleblow.
– Adonalsium
14 hours ago
1
@Adonalsium: If the conduct isn't illegal in OPs country, than OPs country has corrupted law. (the conduct is illegal due to the false claim in the EULA even if the law would normally permit it)
– Joshua
11 hours ago
5
@Joshua The US has very weak privacy protections, and a false claim in the EULA would probably be actionable rather than criminal. If I were affected, I'd have to show damages in a lawsuit, and that could be difficult. Not that I'm necessarily disagreeing with you.
– David Thornley
10 hours ago
add a comment |
6
If the conduct isn't illegal in OPs country, it could be a violation of the NDA to whistleblow.
– Adonalsium
14 hours ago
1
@Adonalsium: If the conduct isn't illegal in OPs country, than OPs country has corrupted law. (the conduct is illegal due to the false claim in the EULA even if the law would normally permit it)
– Joshua
11 hours ago
5
@Joshua The US has very weak privacy protections, and a false claim in the EULA would probably be actionable rather than criminal. If I were affected, I'd have to show damages in a lawsuit, and that could be difficult. Not that I'm necessarily disagreeing with you.
– David Thornley
10 hours ago
6
6
If the conduct isn't illegal in OPs country, it could be a violation of the NDA to whistleblow.
– Adonalsium
14 hours ago
If the conduct isn't illegal in OPs country, it could be a violation of the NDA to whistleblow.
– Adonalsium
14 hours ago
1
1
@Adonalsium: If the conduct isn't illegal in OPs country, than OPs country has corrupted law. (the conduct is illegal due to the false claim in the EULA even if the law would normally permit it)
– Joshua
11 hours ago
@Adonalsium: If the conduct isn't illegal in OPs country, than OPs country has corrupted law. (the conduct is illegal due to the false claim in the EULA even if the law would normally permit it)
– Joshua
11 hours ago
5
5
@Joshua The US has very weak privacy protections, and a false claim in the EULA would probably be actionable rather than criminal. If I were affected, I'd have to show damages in a lawsuit, and that could be difficult. Not that I'm necessarily disagreeing with you.
– David Thornley
10 hours ago
@Joshua The US has very weak privacy protections, and a false claim in the EULA would probably be actionable rather than criminal. If I were affected, I'd have to show damages in a lawsuit, and that could be difficult. Not that I'm necessarily disagreeing with you.
– David Thornley
10 hours ago
add a comment |
up vote
0
down vote
Why have websites all had popups about cookies for the last year? What is the last Supreme Court ruling in this area? You don't know? Ok. Take some perspective here and embrace the fact that you are not a lawyer, not a compliance officer, and not even very experienced in this sort of thing. Your concerns are fair but you're "in over your head" legally as to what to do.
Harvesting contacts by logging into their email is rude in my opinion, but it's also gold standard - Facebook does it, Linkedin does it, Twitter does it, everybody does it. No legal issue there. You could try to make an issue, but you'll have to "make new law*" in that area, and you would be a legal superhero if you pulled it off.
Deleting the data on request is fair.
"soft delete", that really is a matter of what happens next. It may be reasonable, for load-balancing reasons, to flip a "soft delete" bit, then have a scrubber process run nightly or weekly that looks for accounts with soft-delete set, and does hard-delete on the data. Delaying that delete a few days is also reasonable where users tend to "rage-quit", delete their account and then regret it and want it restored.
As far as logging user location, that is a side-effect of logging IP address, and that is the first thing any web log records; again gold standard. And very helpful for troubleshooting and abuse prevention reasons. If you mean "using the app to get their GPS geolocation" the user consented to that, and that consent is enforced by the phone OS because they know developers can't be trusted.
So when you look at all that in balance, there are obviously a lot of fine distinctions and other gotchas in this entire area of practice. It isn't clear. What's clear is You need to become much more of an expert on these subjects than you presently are.
So instead of asking "How can I report", you should be asking "How can I distinguish exactly what is legal and proper, and what is not?", or on a case by case basis, "My company is doing X. Is that OK?" For this you should be turning to security and privacy experts.
* "make new law" is slang for having a legal case with a unique enough situation that an appeals court decides and makes it precedent. You must a) sue someome, b) have the case turn on a a question not yet resolved in legislative law or case law, c) lose so you can d) appeal the case on up into the appeals system (or win and convince the opponent to appeal), then e) win at appeal, and f) convince the appeals court that their decision is unique and solid enough to publish as a precedent. I know someone who did this; he is an aggressive, malicious [censored] and that's kinda what it takes.
answered 4 hours ago
Harper
2,7811512
add a comment |
up vote
0
down vote
Why have websites all had popups about cookies for the last year? What is the last Supreme Court ruling in this area? You don't know? Ok. Take some perspective here and embrace the fact that you are not a lawyer, not a compliance officer, and not even very experienced in this sort of thing. Your concerns are fair but you're "in over your head" legally as to what to do.
Harvesting contacts by logging into their email is rude in my opinion, but it's also gold standard - Facebook does it, Linkedin does it, Twitter does it, everybody does it. No legal issue there. You could try to make an issue, but you'll have to "make new law*" in that area, and you would be a legal superhero if you pulled it off.
Deleting the data on request is fair.
"soft delete", that really is a matter of what happens next. It may be reasonable, for load-balancing reasons, to flip a "soft delete" bit, then have a scrubber process run nightly or weekly that looks for accounts with soft-delete set, and does hard-delete on the data. Delaying that delete a few days is also reasonable where users tend to "rage-quit", delete their account and then regret it and want it restored.
As far as logging user location, that is a side-effect of logging IP address, and that is the first thing any web log records; again gold standard. And very helpful for troubleshooting and abuse prevention reasons. If you mean "using the app to get their GPS geolocation" the user consented to that, and that consent is enforced by the phone OS because they know developers can't be trusted.
So when you look at all that in balance, there are obviously a lot of fine distinctions and other gotchas in this entire area of practice. It isn't clear. What's clear is You need to become much more of an expert on these subjects than you presently are.
So instead of asking "How can I report", you should be asking "How can I distinguish exactly what is legal and proper, and what is not?", or on a case by case basis, "My company is doing X. Is that OK?" For this you should be turning to security and privacy experts.
* "make new law" is slang for having a legal case with a unique enough situation that an appeals court decides and makes it precedent. You must a) sue someome, b) have the case turn on a a question not yet resolved in legislative law or case law, c) lose so you can d) appeal the case on up into the appeals system (or win and convince the opponent to appeal), then e) win at appeal, and f) convince the appeals court that their decision is unique and solid enough to publish as a precedent. I know someone who did this; he is an aggressive, malicious [censored] and that's kinda what it takes.
answered 4 hours ago
Harper
2,7811512
add a comment |
up vote
0
down vote
up vote
0
down vote
Why have websites all had popups about cookies for the last year? What is the last Supreme Court ruling in this area? You don't know? Ok. Take some perspective here and embrace the fact that you are not a lawyer, not a compliance officer, and not even very experienced in this sort of thing. Your concerns are fair but you're "in over your head" legally as to what to do.
Harvesting contacts by logging into their email is rude in my opinion, but it's also gold standard - Facebook does it, Linkedin does it, Twitter does it, everybody does it. No legal issue there. You could try to make an issue, but you'll have to "make new law*" in that area, and you would be a legal superhero if you pulled it off.
Deleting the data on request is fair.
"soft delete", that really is a matter of what happens next. It may be reasonable, for load-balancing reasons, to flip a "soft delete" bit, then have a scrubber process run nightly or weekly that looks for accounts with soft-delete set, and does hard-delete on the data. Delaying that delete a few days is also reasonable where users tend to "rage-quit", delete their account and then regret it and want it restored.
As far as logging user location, that is a side-effect of logging IP address, and that is the first thing any web log records; again gold standard. And very helpful for troubleshooting and abuse prevention reasons. If you mean "using the app to get their GPS geolocation" the user consented to that, and that consent is enforced by the phone OS because they know developers can't be trusted.
So when you look at all that in balance, there are obviously a lot of fine distinctions and other gotchas in this entire area of practice. It isn't clear. What's clear is You need to become much more of an expert on these subjects than you presently are.
So instead of asking "How can I report", you should be asking "How can I distinguish exactly what is legal and proper, and what is not?", or on a case by case basis, "My company is doing X. Is that OK?" For this you should be turning to security and privacy experts.
* "make new law" is slang for having a legal case with a unique enough situation that an appeals court decides and makes it precedent. You must a) sue someome, b) have the case turn on a a question not yet resolved in legislative law or case law, c) lose so you can d) appeal the case on up into the appeals system (or win and convince the opponent to appeal), then e) win at appeal, and f) convince the appeals court that their decision is unique and solid enough to publish as a precedent. I know someone who did this; he is an aggressive, malicious [censored] and that's kinda what it takes.
answered 4 hours ago
Harper
2,7811512
Why have websites all had popups about cookies for the last year? What is the last Supreme Court ruling in this area? You don't know? Ok. Take some perspective here and embrace the fact that you are not a lawyer, not a compliance officer, and not even very experienced in this sort of thing. Your concerns are fair but you're "in over your head" legally as to what to do.
Harvesting contacts by logging into their email is rude in my opinion, but it's also gold standard - Facebook does it, Linkedin does it, Twitter does it, everybody does it. No legal issue there. You could try to make an issue, but you'll have to "make new law*" in that area, and you would be a legal superhero if you pulled it off.
Deleting the data on request is fair.
"soft delete", that really is a matter of what happens next. It may be reasonable, for load-balancing reasons, to flip a "soft delete" bit, then have a scrubber process run nightly or weekly that looks for accounts with soft-delete set, and does hard-delete on the data. Delaying that delete a few days is also reasonable where users tend to "rage-quit", delete their account and then regret it and want it restored.
As far as logging user location, that is a side-effect of logging IP address, and that is the first thing any web log records; again gold standard. And very helpful for troubleshooting and abuse prevention reasons. If you mean "using the app to get their GPS geolocation" the user consented to that, and that consent is enforced by the phone OS because they know developers can't be trusted.
So when you look at all that in balance, there are obviously a lot of fine distinctions and other gotchas in this entire area of practice. It isn't clear. What's clear is You need to become much more of an expert on these subjects than you presently are.
So instead of asking "How can I report", you should be asking "How can I distinguish exactly what is legal and proper, and what is not?", or on a case by case basis, "My company is doing X. Is that OK?" For this you should be turning to security and privacy experts.
* "make new law" is slang for having a legal case with a unique enough situation that an appeals court decides and makes it precedent. You must a) sue someome, b) have the case turn on a a question not yet resolved in legislative law or case law, c) lose so you can d) appeal the case on up into the appeals system (or win and convince the opponent to appeal), then e) win at appeal, and f) convince the appeals court that their decision is unique and solid enough to publish as a precedent. I know someone who did this; he is an aggressive, malicious [censored] and that's kinda what it takes.
answered 4 hours ago
Harper
2,7811512
answered 4 hours ago
Harper
2,7811512
answered 4 hours ago
Harper
2,7811512
answered 4 hours ago
Harper
2,7811512
2,7811512
add a comment |
add a comment |
9
You don't state where you are... that would help in providing specific advice for this situation.
– Stese
17 hours ago
1
@Stese he can state if the app is available globally or only locally.
– Simon
17 hours ago
131
You should change your picture / user name, dude.
– Roman
17 hours ago
1
"Do I have to concern about being accused by the government?" sounds like asking for legal advice. "What should I do?" is often quoted as an example of a bad question format. I don't want to VTC because I think this is an interesting question, I'm just stuck on how it could be reformatted to keep it clearly valid.
– dwizum
17 hours ago
26
I really hope you are not using your real name and the avatar picture is not your own. Cover your assets and good luck.
– Mindwin
14 hours ago