24

I'm building an app that works across mobile devices and browsers. There is a chat component and I will be showing the profile photos that I find on the user's phone book (not from the image folders). To make these images visible on the web if the user works on a browser, I upload the profile photos from the user's phone to a server, and deliver them to the web app.

To support OTHER users, if they do not have a profile photo on their phone, I intend to display the first one that was uploaded, which came from somebody else's phone.

The app asks for permission to use the users phone book. And there is fine print that the profile photos will be used in this manner.

Irrespective of the fine-print, is this 'acceptable use'? Am I opening my company to some risk?

Sunil Gupta
  • 361
  • 1
  • 5
  • 30
    I upvoted this question because I think it is an interesting question, but not to endorse this practice. I fully agree with Trish. It is a bad idea to publish images from the users device without explicit consent of the user, explicit consent of the person depicted and not even knowing what those images actually depict. And I don't think that any kind of fine print users probably never read makes it OK. Even if it were OK legally (which I doubt), it would certainly not be ethically OK. – Philipp Jul 22 '22 at 09:21
  • 4
    @Philipp That's precisely how we're supposed to use the upvote button. A good question is never limited to things that are personally, or generally, agreeable. We upvote for others to see the answer "DON'T DO THIS". – TCooper Jul 22 '22 at 20:10
  • 1
    If you want "default" profile icons, I suggest copying SE's approach instead. – Brian Jul 22 '22 at 20:16
  • Which country do you live in? GDPR doesn’t apply outside the EU. – JonathanReez Jul 22 '22 at 23:32
  • I live in India, where fine print sort of covers most abuse, and seeking legal remedies is often an exercise in futility (or death). Yet as this is an app with potentially global reach, I must obviously conform to the strictest legislation. Based on these informative comments I have changed the design to show only those avatars on a users phone to that user only. – Sunil Gupta Jul 23 '22 at 11:52
  • 8
    @SunilGupta Even ignoring what is legal, you should also try to consider what is right. Informed consent is important; that's why more and more jurisdictions are enshrining it into law. It's not important because it's in law! – wizzwizz4 Jul 23 '22 at 14:06
  • If you don't plan to take payments from EU users, you shouldn't care what GDPR says: https://law.stackexchange.com/questions/81602/why-does-the-gdpr-matter-to-me-a-us-citizen-with-no-property-in-europe/81624#81624. But +1 to @wizzwizz4 - think whether or not its the right thing to do. – JonathanReez Jul 23 '22 at 23:17
  • 1
    Even if you don't take payments from EU users, if you're mishandling PII of EU persons and your business has any presence in EU jurisdictions (or might decide to do so in the future), you may be in for a nasty surprise. – R.. GitHub STOP HELPING ICE Jul 24 '22 at 19:46
  • @Brian I've come to prefer initials as the default "image" (quite common in microsoft products). They're clearly associated with a user (and taken from the name that user has set so aren't additional PII). – Chris H Jul 25 '22 at 11:39
  • @ChrisH - initially (on the web) the only thing I have is the phone number..., agreed that once I get the name from the phone, I could use the initials if there is no avatar - the issue is that the name too may be "private" so even that cannot be shared across users (as my original question was about sharing the avatar). – Sunil Gupta Jul 25 '22 at 13:42
  • @SunilGupta if you don't have the name, you can't use it and need to use something anonymous. But if you look at WhatsApp for example, at signup you give the name that's to be used in that app. Their wording: "This name will be visible to your... contacts" - that gets you a name they're happy to share. It sounds like you're trying to make it simple by grabbing their existing info, but even it was legal it wouldn't be appropriate. – Chris H Jul 25 '22 at 13:52

2 Answers2

50

BAD idea

It is one thing to upload the phonebook and associated pictures for use of the owner of the phonebook.

It isn't a fair use of the phonebook pictures - and you might not have a license anyway, as some people associate photos with numbers that they don't have a license to associate with anyway.

But what if instead of a photo of the person, the first photo someone associated with the person is a photo of something like... crack cocaine, a photo of someone in a very compromising situation, just genitals, or some other thing that is just as tasteless or possibly criminal to share? In that case, your company is possibly committing defamation, and in case sharing or possessing of the image itself is illegal, your company is now the actor and liable. Depending on the content of the picture, distribution of pornographic material (possibly even underage material of that sort) could be up that alley just as much as hate speech through symbols, usage of banned symbols (such as swastikas in Gernamy) and many many others.

Trish
  • 39,097
  • 2
  • 79
  • 156
19

Super illegal

Just focusing on the GDPR, what is your legitimate basis for taking the personal information of a third-party?

Dale M
  • 208,266
  • 17
  • 237
  • 460
  • This is a teaching/student app. When a teacher/student adds a new contact (which can be via a telephone number, may not be in that user's phone book) - I wanted a way to show a profile picture. There are apps (like TrueCaller, which also have user consent) to show the phone users profile to others, when they call someone. Yes, these do not show profile photos from their phonebook... anyway, it's likely that my reasoning will not be a 'legitimate basis' under GDPR... – Sunil Gupta Jul 22 '22 at 13:15
  • 11
    @SunilGupta the point is that a GDPR legitimate interest (LI) requires a balancing test. Here, the data subjects are (a) the person whose contact book you're uploading, and (b) the person described by that contact. You would have to balance their interests/rights/freedoms against your interest in providing default contact pics. There's a slim chance that you might have a LI if both parties can reasonably expect this, in particular if everyone involved is a user of your platform. But I strongly suspect that your interest does not outweigh those people, especially considering personality rights. – amon Jul 22 '22 at 18:13
  • 5
    @SunilGupta and especially with what some people associate with people's numbers. Dick-pics are only the tip of the iceberg. – Trish Jul 23 '22 at 07:29