Founders, Please Remember You're Not Experts at Everything
On the virtues of consulting with a 'professional skeptical bastard' before launch
The Calmara rollout (or as I am now calling it, the "Is this dick sick, send us the pic" app) has been a fascinating case study in why we should all know a little Latin. In this case, the Latin phrase 'Ne supra crepidam' (Not beyond the shoe) comes to mind. The launch of this app (and the founders respective responses), demonstrate what happens when experts in one area (medicine, tech) assume they can just wing it or get by without good advice on the legal stuff. Cobblers know shoes, not necessarily legs. And it's important that we all understand where our strengths are, and when to seek out help.
Based on the conversations I've had with Yudara Kularathne MD, FAMS(EM) and have tried to raise with Mei-Ling Lu, it's clear (at least to me) that the Calmara team rolled out a global product, but weren't thinking sufficiently about global risks. By all appearances, they didn't consult with experts who could have guided them early in the process on what types of questions to ask, what risks to think consider, or how to design a product that treats the subject matter with the care and consideration it deserves. They either didn't know, didn't care, or got really, really bad advice. Maybe a little of each. I don't know.
Everything about this rollout signals that they were so busy 'embracing health innovation' and 'making a difference' that they didn't think about how they were achieving their goals. It's a very 'Zucky' 'Move Fast, Break Shit' kind of mindset, without appreciating that we're no longer in the early 2000s and the risk climate & legal landscape have changed.
Pointing this out (even with a little profanity) isn't 'hate speech'. It isn't 'baseless'. It's exactly the kind of frank honesty all founders hoping to innovate (especially those relying on novel tech/AI) should learn to embrace if they want to release a global product. Especially when that product carries real risks to people. If you're going to change the world, you need to do it right. That means doing it in a way that is honest, fair, and transparent, with safeguards and limitations in place, collecting only what is necessary for a valid reason.
The Value of Having a 'Professional Skeptical Bastard' on Call
As a privacy practitioner & DPO, this rollout and the response frustrates me because so much of the blowback the founders are receiving was predictable and preventable. Had they come to a 'professional skeptical bastard' (h/t Rahaeli) like myself, they would have received a much kinder, soberer (in both senses of that term), more reasoned, and genuinely helpful response. Together, we could have dug deeply into the privacy nitty-gritty, and addressed risks around:
what personal data is, and why it's much broader than PHI (definitions matter!)
what 'meaningful consent' actually means (and how to achieve it)
how to limit access by children (and what to do when it happens)
data subject rights (and how to make them happen)
distinctions between anonymous and pseudonymous data (yes, they are different, and no, you can't collect anonymous 'identifiers')
the pitfalls of overzealous data collection & unrestricted storage (it will bite you)
how to actually be 'transparent' (and why it's more than just cutesy words and emojis)
the benefits of hardened security controls and being honest about what you are doing (beyond just using AWS and saying that security is ‘at the top of our quest log’)
internationalization & accessibility (you can't be transparent if people don't understand what you're saying)
third-party risk (who else you share things with matters).
We could have strategized on how to build the product with privacy/security-by-design-and-default principles in mind. Discussed the value & virtues of undertaking and publishing a data protection & security impact assessment and an AI audit, and how to develop messaging that effectively communicates this to a more global audience. We could have discussed why cultural mores, traditions, sensitivities, and yes, actual laws, might require a slow, but steady rollout, instead of just letting it all hang out on day 1 and hoping for the best. Oh, and I would have reminded Mei-Ling that asking for people to upload random dick pics from the internet is a terrible fucking idea that will undermine whatever concept of 'explicit consent' she thinks she got.
But instead, the founders decided that all that mattered was their expert medical expertise + good vibes about changing the world. Wanting to change the world and make it better is a noble, valuable goal, and I do really admire founders who are trying to make this a reality. But I appreciate and financially patronize founders who are doing that AND still being mindful of when to reach out for help to do things correctly.
I get that humility as a founder isn't always a common trait. Every founder/innovator/disruptor believes that their ideas will be different. That their expertise spans all things (or at least enough to get a MVP off the ground), that they've thought all the important stuff through. But if anything, the odds are stacked even more against founders and innovators today than they were a few decades ago. Laws have changed. There's more risk in the world, and the quantum of harm has changed. People are paying more attention. Regulators are starting to notice at a global level.
Hearing Hard Truth Isn't Hateful; It's a Gift
Finally, I want to close with the most unfortunate aspect of this whole affair -- the founder's response to critics. Spinning legitimate, well-founded, and defensible criticisms about how your company rolled out a product as 'emotional', 'hate speech' or a 'baseless accusations' without properly assessing risk only confirms my suspicions -- that the founders didn't think things through. That they didn't heed the phrase Ne supra crepidam -- and decided to analyze the whole leg, or the arm, or the person -- not just the shoe. Or rather, in this case, they thought they understood the law, instead of just the medical situation of the dicks they were analyzing. It's clear though, by the response, and the failure to engage constructively, that the founders at Calmara are hoping that this will just blow over. I personally don't think it should.
By doubling down on this approach to dealing with criticism, by trying to portray the whole thing like a personal attack, they indicate that they'd rather play the victim game than fix the problems many have identified. If the founders really think we got the privacy aspects wrong, explain why! Don't hide behind how privileged you are and how you're doing it for the everyman. Don’t hide behind accusations of hate speech or us not embracing innovation. That's dismissive, entitled, and utterly disrespectful of the people you're hoping to help. Do better.
The CEO’s response is below in its entirety. Original link here.