Add an option to turn off potentially privacy-compromising requests to twenty-icons.com

[geek-andi]

Bug Description

TwentyCRM (hosted ad elest.io) makes automatic requests to https://twenty-icons.com and thereby compromises personal data. We need to turn that off. It might be ok only for companies, but the extra benefits do not justify the risks imho.

This is also not legally viable in GDPR countries, and it doesn't matter if https://twenty-icons.com saves the data or not. We can't expose personal data to third party without consent!

Example:

When visiting the Companies list, I get errors in my console, which tells me what kind of data twentycrm tries to fetch from remote.

404 GET https://twenty-icons.com/denktmit.de/team/firstname-lastname NS_BINDING_ABORTED

Expected behavior

Remove any remote data fetching by default

Technical inputs

[BOHEUS]

Twenty-icons is only used for fetching the favicon (icon in browser tab) based on URL in Company record, so if e.g. URL is google.com, full URL to twenty-icons is https://twenty-icons.com/google.com and it doesn't save any data, also it's managed by Twenty and not by other company

Tbh, I don't understand why Twenty would add team with first and last name of some person to URL unless that person typed URL like that or it's done by Elestio (which is more than unlikely)

[geek-andi]

Twenty-icons is only used for fetching the favicon (icon in browser tab) based on URL in Company record, so if e.g. URL is google.com, full URL to twenty-icons is https://twenty-icons.com/google.com and it doesn't save any data, also it's managed by Twenty and not by other company

@BOHEUS I understand that, but it is not relevant in terms of GDPR. We can't have personal data sent to a third party without consent.

Tbh, I don't understand why Twenty would add team with first and last name of some person to URL unless that person typed URL like that or it's done by Elestio (which is more than unlikely)

That makes it even more scary.

Also it is not the only name that got exposed. It's a bit hard to give better Steps to reproduce because also with access to the data I can't easily figure out where the url was pulled from.

[BOHEUS]

BOHEUS I understand that, but it is not relevant in terms of GDPR. We can't have personal data sent to a third party without consent.

@StephanieJoly4 could you confirm that sending requests to twenty-icons is not a problem from law perspective and it's fully compliant with GDPR as requests are not tracked?

Also it is not the only name that got exposed. It's a bit hard to give better Steps to reproduce because also with access to the data I can't easily figure out where the url was pulled from.

Like I've mentioned, URL is pulled from Company record, from field named Domain name to be precise

[StephanieJoly4]

@charlesBochet @FelixMalfait could one of you please confirm if we're actually sending personal data as described above?
I guess we need to double check this first and then adjust accordingly.

Thank you @BOHEUS and @geek-andi for bringing this to our attention

[FelixMalfait]

Hey @geek-andi, the service makes external calls to twenty-icons for company domains yes the twenty-icons server could potentially know "this ip X has requested to view the icon for company Y", that's it (no first name, last name etc ; I think the confusion might be that in the domains field you added a url to their team's page or something like that).

This is absolutely not "law breaking" as there is a legitimate use-case for those calls and I don't like the tone of your issue to be honest. We would have gladly considered thinking about a small flag to make icons optionals but not when it's asked this way 🙃

[geek-andi]

Hey @geek-andi, the service makes external calls to twenty-icons for company domains yes the twenty-icons server could potentially know "this ip X has requested to view the icon for company Y", that's it (no first name, last name etc ; I think the confusion might be that in the domains field you added a url to their team's page or something like that).

@FelixMalfait I was seeing names in url requests. That raised all red flags for me, because I couldn't find documentation why twenty would make these requests at all and which data it pulled.

It's true, that those were company domain entries.

This is absolutely not "law breaking" as there is a legitimate use-case for those calls

My take on that is: User-entered data should never be auto-exposed to third parties. Users make mistakes, enter data in the wrong field and stuff. A little bit of paranoia is a good thing IMHO.

and I don't like the tone of your issue to be honest.

I was trying to be as clear as possible. It was not meant as an accusation or anything. I understand, that that came of wrong and I could have formulated my request more thoughtfully. Sorry for that!

We would have gladly considered thinking about a small flag to make icons optionals but not when it's asked this way 🙃

That's up to you to decide for sure.

[geek-andi]

So let's try again ;) I changed the title from

Turn off privacy-compromising and law-breaking requests to twenty-icons.com

to

Add an option to turn off potentially privacy-compromising requests to twenty-icons.com

[FelixMalfait]

Thanks :)