GDPR clarification?

General out-of-character discussion among players of Cantr II.

Moderators: Public Relations Department, Players Department

curious

GDPR clarification?

Postby curious » Sun Aug 05, 2018 8:50 am

I am aware that since May this year, in Europe at least that the laws on data management and protection changed.
The Genderal Data Protection Regulation came into effect and to be honest... it's application is vague. Some argue that it is vague on purpose to try and 'catch' organisations who would not usually be considered relevant... basically, the focus was on trading businesses as opposed to 'free-to-play' or 'free-to-accress' non-profit services

I know that Cantr has some of my details on its server(s). It has my email address and I also know that email addresses have commanded a premium in both data 'sales' and theft purely because of their value in marketing.

I am also assuming that the data stored on the Cantr servers is somehow attached to my in-game activity. Logs and/or participation in making things like notes notes. I think the last time this was mentioned on the forum was way back in 2014 because of a perceived threat to security and the implementation of an encryption?

What I am curious about is"
1. Is the game GDPR compliant (I can't find anything in the game blurb about this)? and...
2. If I choose to leave the servers, what are my options for complete data removal?

Thank you.

[I see this is a general point of debate but please feel free to move it to support]
User avatar
Jos Elkink
Founder Emeritus
Posts: 5711
Joined: Mon Jul 14, 2003 1:17 pm
Location: Dublin, Ireland
Contact:

Re: GDPR clarification?

Postby Jos Elkink » Sun Aug 05, 2018 8:56 am

We are (and have been) discussing this internally and will provide further clarification in due course. Suggestions from players here are welcome in public discussion, but from an organisational point of view, we will not comment until we have a clear joint position. We have made some investigations and had some discussions, but we are still finalising conclusions on the matter. We will of course ensure to be compliant with the law.
User avatar
sherman
Public Relations Chair/Translator-Finnish (PR)
Posts: 914
Joined: Tue May 14, 2013 10:58 am
Location: Finland, Helsinki

Re: GDPR clarification?

Postby sherman » Sun Aug 05, 2018 10:05 am

This following message is my personal opinion and has nothing to do with me being member of staff:

I personally find whole GPDR a mess that is poorly made and confusing to understand. So I used following site to get idea what it is (I'm sure there's people who have no idea what it really mean so... feel free to check it) http://www.itpro.co.uk/it-legislation/2 ... ed-to-know

1) I think game is as clear as it can with said law. It's confusing mess like I said and Cantr has no paid lawyers to take care of such legal things so... The fact is games need certain data to work and make sure people can't circle around bans etc. The said law is made to control facebook, microsoft etc. So games are kinda on grey zone in my opinion. I doubt they paid much attention to gaming when it was made. It would be a mess if people could abuse the law to circle bans and punishments. Would be totally fun to play mmorgs with all the cheaters who can avoid punishments

2. Like said games need certain data to make sure rule breakers can't bypass them so complete data removal in my opinion isn't possible
Don't fight a battle if you don't gain anything by winning.
-Erwin Rommel-
User avatar
Alladinsane
Posts: 3351
Joined: Thu Mar 11, 2010 9:09 pm
Location: Fla

Re: GDPR clarification?

Postby Alladinsane » Sun Aug 05, 2018 9:32 pm

I wouldn't worry about it. A few legal holes exist, like the perceived ability to retroactively enforce on un-associated entities.
A constitutional lawyer in the US would salivate at the chance to make a name dismantling what I read, especially if a company in question is not based in the EU.

I did not see immunity from civil action however... Its just on a cursory examination right now. Doxing is becoming serious; but an organization that arbitrarily grants itself permission to retroactively enforce its own rules upon other organizations who are not even subject to its jurisdiction in other areas... is about as effective as the self appointed 'world court' was when it tried to enforce a sanction on a US president for controlling the country that was primary responsible for the conduct of Operation Desert Storm.

I think you can trust the core members of the Cantr staff to not abuse your info... they have no history of doing so in the past and the ones that attempted such actions were promptly removed, showing good faith on the part of the core members of staff.


JMHO based on my limited legal education... use as you see fit.
A famous wise man once said absolutely nothing!
User avatar
Jos Elkink
Founder Emeritus
Posts: 5711
Joined: Mon Jul 14, 2003 1:17 pm
Location: Dublin, Ireland
Contact:

Re: GDPR clarification?

Postby Jos Elkink » Mon Aug 06, 2018 8:06 am

Are you assuming Cantr is US-based? :-) Cantr has always been within EU jurisdiction.
curious

Re: GDPR clarification?

Postby curious » Mon Aug 06, 2018 8:44 am

It doesn't matter.
The only difference between EU citizens and US citizens is that US citizens don't have this law protecting them (and it is a law).
Protection and access to data is attached to the citizen, not their location.

As for having 'faith'..? You'll just have to forgive me for being sceptical as to which of a bunch of volunteers that I don't know anything about are a better option than say... a published privacy policy..?

Legal holes then..? No. There are exceptions and caveats but basically, the principle remains unchanged. Lack of funds to employ a lawyer to manage the compliance is not an exclusion... neither is being a small organisation. Also... being in the "grey area" is a gamble and in the initial confusion of just how people are to meet the requirements of this new law, you think they won't look for precedent? Worse, they will be looking to form an audit trail of prosecution, not some form of liberal denial. They have invested a lot in this initiative and they will make it work.

My question regarding my own access to my data on these servers is also as yet unanswered. How do I see it and, if I don't like it, how do I get rid of it? I appreciate that's a big request, especially if my initial data produces more in-game, such as an attachment to in-game items etc... but this is the task you are faced with now, should you fail to validate the game as an GDPR exemption.
Millhouse
Posts: 521
Joined: Sat Jun 13, 2015 1:32 am

Re: GDPR clarification?

Postby Millhouse » Wed Aug 08, 2018 2:27 pm

To be honest, it's always weirded me out a bit with the activity logs. Just the fact that everything I do and say in the game is sitting there in multiple people's inboxes. The potential for doxxing would be a little unsettling if I weren't more careful what I do or say in game.
User avatar
Wolfsong
Posts: 1277
Joined: Sun Dec 13, 2009 5:33 am
Location: Australia

Re: GDPR clarification?

Postby Wolfsong » Thu Aug 09, 2018 11:42 am

I know in the past when Cantr II was "hacked" by a disgruntled staff member, it was revealed that all passwords were saved in plaintext. Was this ever fixed?
Image
User avatar
Rmak
Posts: 347
Joined: Mon Sep 21, 2015 9:00 am

Re: GDPR clarification?

Postby Rmak » Fri Aug 10, 2018 1:29 am

I am an EU citizen, such glorious days of being spammed by companies asking me if they can continue to keep my data :)

Just update the Cantr terms and conditions to reflect "by using this we have your data" and if they don't want it, they don't play.
Quote Wolfsong:
They aren't playing children; they are playing mentally ill people.

:twisted: :roll: :lol: 8) :twisted:
User avatar
Jos Elkink
Founder Emeritus
Posts: 5711
Joined: Mon Jul 14, 2003 1:17 pm
Location: Dublin, Ireland
Contact:

Re: GDPR clarification?

Postby Jos Elkink » Fri Aug 10, 2018 7:07 am

Wolfsong wrote:I know in the past when Cantr II was "hacked" by a disgruntled staff member, it was revealed that all passwords were saved in plaintext. Was this ever fixed?


Yes, that was fixed.
User avatar
Alladinsane
Posts: 3351
Joined: Thu Mar 11, 2010 9:09 pm
Location: Fla

Re: GDPR clarification?

Postby Alladinsane » Sat Aug 11, 2018 6:27 pm

By signing up, you sign an implicit agreement...if you enter no data, no data can be processed.

saying that you gave up anything willingly...good luck with that legally, people only have what you give them.

*******************************************

No Jos, I was not saying it was/is a USA company, only analyzing how us laws apply
IF
that were the case.
I don't know if the eu can apply any of its territorial laws to the us or not.
They tried before and now that we have a madman in control of the USA... he might cut the funding and troop protection.
stranger things have happened and we have a strange leadership now, I have no accurate position on what will happen.


Be well,
A famous wise man once said absolutely nothing!
User avatar
Money
Posts: 929
Joined: Fri Feb 15, 2008 1:05 pm

Re: GDPR clarification?

Postby Money » Tue Aug 14, 2018 2:30 pm

Just wanted clear up some particular points as I've worked on GDPR compliance.

Any company which collects data within the EU regarding EU citizens must abide by the requirements and restrictions of the GDPR when handeling that data. Unless Cantr is going to implement two tiers of data storage and handeling the GDPR will effectivly apply to non-EU citizens as well. Side note: I would be concerned if Cantr stores the data of EU citizens outside the EU.

Exemptions are very few and far between. Games are definitely not exempt from the GDPR. They're actually one of the main targets of it. A lack of funds or technical expertise also doesn't exhempt you from the GDPR. Fun fact: financial regulators are actually pushing back against the GDPR because they've essentially lost their former exemption from EU privacy legislation.

If any data is stored in plain text, especially if it can be linked together in such a way as to identify the person, I would change that immediately. I would also limit access to even encrypted data to the bare minimum of essential personnel.

I might post more later, but those are the important points.
curious

Re: GDPR clarification?

Postby curious » Wed Aug 15, 2018 7:29 pm

Thanks for that, Money. It makes a lot of sense...
...it doesn't do anything to fill me with confidence but it makes sense.
User avatar
SekoETC
Posts: 15523
Joined: Wed May 05, 2004 11:07 am
Location: Finland
Contact:

Re: GDPR clarification?

Postby SekoETC » Wed Sep 19, 2018 2:53 pm

I've heard that generally when sites are asked to delete identifiable information, it doesn't mean that you have to delete everything, just the parts that allow connecting that information to a user. So for example for a webstore, when a user requests their information to be deleted, it deletes their email address, bank information, name, address, etc, but what is allowed to remain is purchase history bound to a "ghost account" that can never be linked back to who owned it. Then the information about purchases can be used for statistics, but no one can ever tell who the buyer originally was.

When somebody has an active account in Cantr, the information bound to that can be used to ensure that the user cannot open a secondary account while the first one is active, but when a user quits playing Cantr, by law they now have the right to have their identifying information deleted/obscured, so that even though there can be a list of character spawn and death dates attached to an account id, the username, email address, real name etc. must be purged on request. But apparently it's still legitimate to keep a registry to identify banned individuals based on "legitimate interest". https://www.reddit.com/r/gdpr/comments/ ... ing_users/
Not-so-sad panda

Return to “General Discussion”

Who is online

Users browsing this forum: No registered users and 1 guest