Page MenuHomeWildfire Games

0 A.D. Empires Ascendant Multiplayer Lobby Privacy Policy
ClosedPublic

Authored by elexis on Jun 28 2018, 2:42 PM.

Details

Reviewers
Itms
Group Reviewers
Restricted Owners Package(Owns No Changed Paths)
Commits
rP21908: Lobby Privacy Policy.
Trac Tickets
#5286
Summary

The GDPR requires us (see Article 4, definition of controller) to be more transparent to the user and provide a means to request or erase personal data.
Notice that while the Terms are more extensive now, they don't grant us more rights than before.

Test Plan

Read the GDPR, especially:
https://gdpr-info.eu/

  • Article 4 Definitions
  • Article 6 Lawfulness of Processing
  • Article 8 Childs Consent
  • Article 12 Transparency
  • Article 15 Right of access
  • Article 17 Right of erasure

Diff Detail

Repository
rP 0 A.D. Public Repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
elexis added a comment.Jul 4 2018, 5:32 PM
In D1590#63852, @bb wrote:

Read the code and comments, but as having very limited knowledge about these matter (nor an urgent will to become an expert), can't say anything about the completeness.
Much appreciating the work on it!!

Thanks

What about mods, they will incorporate these files, but might process the data in a very different way. I guess as the mods are not ours it is not our problem, but the files still refer to WFG. Making a comment in the modding guide to change these files is the least we can do.

There is a GUI mod already that provides an autologin feature for the multiplayer lobby that circumvents the mechanism of getting user agreement prior to login if the terms changed.
Mods could less easly circumvent it if the terms would be fetched prior to login using C++ code.
The XMPP specs don't offer a terms&service feature specifically, the closest thing would be the room subject I think: https://xmpp.org/extensions/xep-0045.html#subject-mod
Doesn't mean we can make it impossible for mods to skip the use agreements.
But we can make that against the terms of use and kick everyone we know that uses a mod to circumvent that.
Hence the terms of service addition had been added: "1. Only use the service with the official software unless authorized by a Wildfire Games team member."

Don't you gather hardware informations? I didn't read something like that.

That's the UserReporter seen in the main menu.
That is not sent to the Multiplayer Lobby service and it's not related to the lobby either.
It is sent in the main menu, has custom terms (we didn't check that for GDPR complience yet), sent for singleplayer matches too
and the sent data does as far as I know not contain the lobby username nor an IP address but a unique userreporter ID saved in the users config file.

So you raise an important point, users should find out how the personal data of other service affects their rights.
The lobby terms should probably link to a document with references to the terms of the different places.

binaries/data/mods/public/gui/prelobby/common/terms/Privacy_Policy.txt
37 ↗(On Diff #6790)

The last sentence is the continuation of the first sentence, the sentences in between only explain why the first sentene is true;
i.e. the meaning was that lobby userdata becomes anyonymous if the IPs are gone.
So I can clarify that.

But are there further exemptions from that state? It's equivalent to the question whether we are obligated to be able to enforce the use policy in every forum post and chat message since the beginning of forum posts (i.e. if we had to proofread before allowing forum posts to be published, i.e. removing the instant from instant messaging))

41 ↗(On Diff #6790)

It would be easier for us to have the computers handle that, but it will require lots of coding and has to be secured against abuse too.

In D1590#63859, @elexis wrote:

Don't you gather hardware informations? I didn't read something like that.

That's the UserReporter seen in the main menu.
That is not sent to the Multiplayer Lobby service and it's not related to the lobby either.
It is sent in the main menu, has custom terms (we didn't check that for GDPR complience yet), sent for singleplayer matches too
and the sent data does as far as I know not contain the lobby username nor an IP address but a unique userreporter ID saved in the users config file.

So you raise an important point, users should find out how the personal data of other service affects their rights.
The lobby terms should probably link to a document with references to the terms of the different places.

So the terms for the "main menu" hast be rewritten befor rerelease?

So the terms for the "main menu" hast be rewritten befor rerelease?

It's still not a problem of the lobby terms, but you are right that the UserReporter needs some treatment too as far as I see. To me it looks like we should drop that service and reimplement it from scratch (currently noone uses it and it has database scalability issues).

bb added a comment.Jul 9 2018, 11:28 PM

Some digging in the GDPR leads me to two concerns (I am in no position to say if these are fixed everything is ok but would doubt if there are more problems)

Art 8.2 states we need to take "reasonable effort" to ensure the user is >16y or there is parental authorization, so imo we should add that the user agrees to be 16+ or has parental authorization.

binaries/data/mods/public/gui/prelobby/common/terms/Privacy_Policy.txt
41 ↗(On Diff #6790)

Maybe a bit of coding, but certainly worth a ticket

Following art 15 and 16 we need some lines on rectification and erasure of accounts (for now probably just the e-mail but some lobby buttons would be nice in the future)

binaries/data/mods/public/gui/prelobby/common/terms/Terms_of_Service.txt
11 ↗(On Diff #6790)

a space too many

Art 8.2 states we need to take "reasonable effort" to ensure the user is >16y or there is parental authorization, so imo we should add that the user agrees to be 16+ or has parental authorization.

8.2. applies only where consent is given: https://gdpr-info.eu/art-8-gdpr/

Where point (a) of Article 6(1) applies,
in such cases
that consent is given

https://wildfiregames.com/forum/index.php?/topic/24325-gdpr/&page=3&tab=comments#comment-357596
https://wildfiregames.com/forum/index.php?/topic/24325-gdpr/&do=findComment&comment=357955
https://wildfiregames.com/forum/index.php?/topic/24325-gdpr/&do=findComment&comment=358012
https://wildfiregames.com/forum/index.php?/topic/24325-gdpr/&do=findComment&comment=358127
https://wildfiregames.com/forum/index.php?/topic/24325-gdpr/&do=findComment&comment=358224
https://wildfiregames.com/forum/index.php?/topic/24325-gdpr/&page=5&tab=comments#comment-358838
https://trac.wildfiregames.com/wiki/UserDataProtection?version=2
I didn't find the original Terms Of Conditions diff on the forums by Itms that had the consent diff.)

Using consent is also bad because consent can be retracted, but legitimate interest or processing to fulfil a contract is always ours or has never been (see article 6.1, thats the most important article).

binaries/data/mods/public/gui/prelobby/common/terms/Privacy_Policy.txt
41 ↗(On Diff #6790)

You probably refer to Art 17 Right Of Erasure more than 15 and 16. https://gdpr-info.eu/art-17-gdpr/

But that right is rarely given, especially because we dont process with consent and only process the minimum for performing services and project development

where one of the following grounds applies
the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1)

I don't think we need erasure of accounts, but the erasure of IP addresses.
It's related to the above paragraph claiming it's anonymous data if the IP is gone.
You have to consider that deletion of an account means that someone else can recreate the same account and thats kind of an impersonation problem, so we better ban an account if a user wants to stop being able to login.

bb added inline comments.Jul 16 2018, 5:19 PM
binaries/data/mods/public/gui/prelobby/common/terms/Privacy_Policy.txt
41 ↗(On Diff #6790)

indeed meant 16 (rectification) and 17 (erasure)

the only point for 17 I see relevant for us is a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; but as the ip-address is collected for Abuse and we delete everything after 2 years, we can argue we still "need" the data for that period. (Don't know if we need to explain this here)

Rectification probably can't occur as the current IP address will always be correct

Stan added inline comments.Jul 16 2018, 5:50 PM
binaries/data/mods/public/gui/prelobby/common/terms/Privacy_Policy.txt
41 ↗(On Diff #6790)

Doesn't requiring authentication mean gathering even more personal data ?

binaries/data/mods/public/gui/prelobby/common/terms/Terms_of_Use.txt
23 ↗(On Diff #6790)

Not sure the P should be a Capital.

Stan added a comment.EditedJul 16 2018, 5:54 PM

What if as per article 18 one says he doesn't want his data processed for ratings. Do we delete the account ? Or do we force him not to go on rated games ? He might want to play with a fixed rating or no rating at all with player who want to get rated. How does it go

bb added a comment.Jul 16 2018, 6:39 PM
In D1590#63984, @Stan wrote:

What if as per article 18 one says he doesn't want his data processed for ratings. Do we delete the account ? Or do we force him not to go on rated games ? He might want to play with a fixed rating or no rating at all with player who want to get rated. How does it go

Which clause of art 18.1 applies?

Stan added a comment.Jul 16 2018, 6:54 PM

Changing Ip often ?

elexis added a comment.EditedJul 20 2018, 8:02 PM

About lobby chat logging policy support in XMPP, I found this:
https://xmpp.org/extensions/xep-0045.html#enter-logging

If the user is entering a room in which the discussions are logged to a public archive (often accessible via HTTP), the service SHOULD allow the user to enter the room but MUST also warn the user that the discussions are logged. This is done by including a status code of "170" in the initial presence that the room sends to the new occupant

While I couldn't find the flag with wireshark, ejabberd is considered an XMPP complient implementation and there is evidence such as https://github.com/processone/ejabberd/issues/936 that ejabberd sends the status flag.

So people who use the lobby server without the official software are informed too. Still XMPP seems GDPR incompatible by design if there isn't a way to send terms prior to room join.

Edit: Room discovers allows fetching of room metadata prior to joining and clients SHOULD do so: https://xmpp.org/extensions/xep-0045.html#disco-rooms

Itms added a subscriber: Itms.Jul 23 2018, 4:02 PM

One more batch of comments :) Thanks again for the work on that.

binaries/data/mods/public/gui/prelobby/common/terms/Privacy_Policy.txt
10 ↗(On Diff #6790)

I am not sure of the legal meaning of "for example", so maybe "including, but not limited to" would be more accurate.

11 ↗(On Diff #6790)

"refers to the algorithmic processing of player match statistics"

11 ↗(On Diff #6790)

Also add at the end: ""Rating" also refers to the aforementioned comprehensive score". (See the next bulletpoint for an example of that usage)

20 ↗(On Diff #6790)

Which port number are we speaking of here? Time of connection and presence changes are in the Lobby Chat, am I wrong?

If only the IP address is actually stored for moderation purposes only, I think this should be 2 years like in the next section.

30 ↗(On Diff #6790)

Looks good to me.

35 ↗(On Diff #6790)

This key issue seems to state that if the user is below 16 (or 13 if the national law states it), we need parental consent, since our service is open to both children and adults. So maybe add a sentence about parental consent that applies to the whole policy, and don't make this specific sentence dependent on the user's age.

36 ↗(On Diff #6790)

Do you mean "not verifiable by us" or is it a wording with a specific meaning?

37 ↗(On Diff #6790)

Do you mean pseudonymous instead of anonymous? And when you say "stop using", do you mean terminating the account, or just stopping using it? Maybe rewrite it like you planned to and I'll comment on that.

39 ↗(On Diff #6790)

"file a personal data request"

41 ↗(On Diff #6790)

The idea of sending a passphrase by email that can be posted in the lobby sounds good to me.

I agree with bb that we could have a ticket for adding a few features to the lobby bot, mainly erasing a user from the database, and extracting their data from it. The former would need admin rights, and the latter would need admin rights or being said user.

I think Stan is right, but it's not a big deal: just write a short remainder that emails sent to the user-data address will be kept for N years in order to be able to prove we complied with the request.

binaries/data/mods/public/gui/prelobby/common/terms/Terms_of_Service.txt
9 ↗(On Diff #6790)

I think this is a bit too narrow: we need to exclude a modified version that leaks data on purpose. I would phrase this as:

"Official software" refers to the software "0 A.D. Empires Ascendant" published on the Wildfire Games website, or any modified version of this software that handles personal data correctly, i.e. as described by the accompanying Privacy Policy.

Is that what you wanted to mean by this definition?

14 ↗(On Diff #6790)

"Only access the service through" maybe? Just nitpicking.

16 ↗(On Diff #6790)

What about going even further: "Use the service at your own risk, without assuming it will behave as you would expect. We do not take responsibility for the content posted by users on the service, nor do we guarantee the service to be safe to use, working or fitting for a particular purpose".

binaries/data/mods/public/gui/prelobby/common/terms/Terms_of_Use.txt
19 ↗(On Diff #6790)

Yes I think that's good. See my suggestion about making the SVN version the official one, let me know what you think and whether it's a bad idea.

23 ↗(On Diff #6790)

I agree with elexis, the phrasing is fine. Maybe "not publish own or other's personal data"? (the capital p doesn't matter I think).

binaries/data/mods/public/gui/prelobby/common/terms/terms.js
55 ↗(On Diff #6790)

yep, lgtm

Itms added a reviewer: Itms.Jul 23 2018, 4:03 PM
wraitii added inline comments.
binaries/data/mods/public/gui/prelobby/common/terms/Privacy_Policy.txt
36 ↗(On Diff #6790)

Everything after the first comma is useless and/or wrong here. Should be "publicly available" imo.

37 ↗(On Diff #6790)

Indeed, unclear.

binaries/data/mods/public/gui/prelobby/common/terms/Terms_of_Service.txt
9 ↗(On Diff #6790)

It's not, is it? The software in this case is the lobby backend, not so much the frontend.

I think we can't actually guarantee anything here given the open-ended nature of the lobby, so ideally we should require an email and verify accounts (sending the privacy policy along) - unverified accounts should be deleted ASAP.

binaries/data/mods/public/gui/prelobby/common/terms/Terms_of_Use.txt
23 ↗(On Diff #6790)

Seems impossible to enforce to me and likely useless/negative.

andy5995 updated the Trac tickets for this revision.Aug 15 2018, 2:07 PM

To all proclaimed reviewers,
it is kind of necessary to read the GDPR articles before judging about them or even claiming this to be a complete implementation (and I have expressed this after the review as posted here on IRC and forums).

Some aspects were very quick to be considered correct, in particular whether Consent is necessary, whether Parental Consent is an option, whether the Legitimate Interests basis does actually hold, whether chatlogs and IP logs are considerd intrusive, whether they are ncessary.

The diff was disastrously wrong in failing to implement Article 13 and Article 32, as the related UserReporter implementation on github and Phabricator had shown.

The lobby backend and implementation was probably never considered for COPPA (Childrens online privacy protection act) and DPD (data protection directive),
requiring a reevaluation of the practices and alternatives.

Other than reading GDPR, COPPA and DPD decisions, one should have also read privacy policies of companies, preferably as many as possible.

I have committed updated Terms of Use and Terms of Service independent of personal data processing and rewritten the Privacy Policy from scratch since none of it had satisfied my own skepticism.

! In D1590#63984, @Stan wrote:

Then we continue to pay attention to the letter of the law and its minute details, consider that GDPR user rights have to relate to the individual before posting something.

binaries/data/mods/public/gui/prelobby/common/terms/Privacy_Policy.txt
10 ↗(On Diff #6790)

Not sure what "for example" could mean otherwise than including but not limited to. (I tried not to repeat the phrases and keep it short)

17 ↗(On Diff #6790)

All of the definitions were (1) repeated in all terms and (2) can be inlined to shorten and make it more forward.

20 ↗(On Diff #6790)

UDP and TCP port numbers for XMPP and enet connections, but it seems irrelevant / implied

30 ↗(On Diff #6790)

(In your pull request from September 25th https://github.com/elexis1/0ad/pull/1 you pointed out that it's not anonymous but pseudonymous)

35 ↗(On Diff #6790)

As it turned out, there is COPPA, 0 A.D. is not directed to children below 13 and that we don't use Consent as a legal basis, because we can't obtain parental consent and don't want to process things that aren't already in our overriding legitimate interest (according to best knowledge and good faith).

36 ↗(On Diff #6790)

The idea had been that to claim that all data is pseudoynmized, even if someone claims to be the emperor of china on the chat. Anyway, rewritten.

37 ↗(On Diff #6790)

Yes, "anonymous" goes out of the window. Even pseudoynmous is not true for people whos nicks are known. For example 0AD Youtubers with their realname, or our commit credits or forum postings like the legal waiver thread.

binaries/data/mods/public/gui/prelobby/common/terms/Terms_of_Service.txt
9 ↗(On Diff #6790)

handles personal data correctly

Correctly is what we define in the Terms to be correct handling, that is also compliant with GDPR and COPPA.
If we want people to stop violating the ToU, then they must learn our ToU, not a modified one.

10 ↗(On Diff #6790)

That was one of the universal grants that was probably entirely against the DPD, the predecessor of GDPR.

11 ↗(On Diff #6790)

There was also much empty space behind the clauses.

16 ↗(On Diff #6790)

Well, it's about protection from damage that we could be held legally accountable unless we exclude the liability (somehow). "Fitting for a particular purpose" at least is nothing that I expect someone to claim, in particular legally.

binaries/data/mods/public/gui/prelobby/common/terms/Terms_of_Use.txt
19 ↗(On Diff #6790)

Downloading newer terms and storing the version online is a good idea but kind of hypothetical.

23 ↗(On Diff #6790)

The phrasing was wrong since every chat message is personal data, because it "relates to an identifiable natural person".
Personally identifiable information was meant.
It's indeed hard to impossible to enforce, but we can still inform people what they shouldn't do and what we may ban people for.
The benefit of the clause is having to not delete things that aren't posted and to minimize the impact of chatlogs.

elexis updated this revision to Diff 6925.Oct 15 2018, 7:49 PM

Rewrite everything.

elexis edited reviewers, added: Restricted Owners Package; removed: Itms.Oct 15 2018, 7:51 PM

Successful build - Chance fights ever on the side of the prudent.

Link to build: https://jenkins.wildfiregames.com/job/differential/741/display/redirect

smiley added a subscriber: smiley.Oct 15 2018, 8:27 PM

Somethings found from a quick skim.

binaries/data/mods/public/gui/prelobby/common/terms/Privacy_Policy.txt
6 ↗(On Diff #6925)

No JID vs nick mentioned? I guess its necessary since its possible to /nick.

18 ↗(On Diff #6925)

IMO, this is too specific. What about cases where a user is suspected but no account has been banned?
Would suggest “persons suspected of violating the ToS” or is that a violation of GDPR? (To act on suspicion)

70 ↗(On Diff #6925)

Typo, neeeded
Also “minimization” for consistency. But I guess that cant be done.

75 ↗(On Diff #6925)

11

binaries/data/mods/public/gui/prelobby/common/terms/Terms_of_Service.txt
7 ↗(On Diff #6925)

Depcition

12 ↗(On Diff #6925)

IMO, reads better with “authorized by Wildfire Games”.

Stan added inline comments.Oct 15 2018, 8:29 PM
binaries/data/mods/public/gui/prelobby/common/terms/Privacy_Policy.txt
10 ↗(On Diff #6790)

I believe that's the correct formula, at least that's the one I've seen all over documents when quoting stuff that might happen. I guess the idea is to be idiot proof

Itms added a comment.Oct 15 2018, 9:58 PM

Apart from the point 14 (actually 13) of WFG obligations, which I believe needs a rephrasing, I am on board with this document! Thanks for all the hard work.

binaries/data/mods/public/gui/prelobby/common/terms/Privacy_Policy.txt
5 ↗(On Diff #6925)

(GDPR 13.1.c) maybe ?

6 ↗(On Diff #6925)

@smiley I'd say that, since playername is defined here as "[the] name that the player chooses at the time of registration", it is the JID. Adding technical details would be confusing, and would make the terms dependent on the implementation.

18 ↗(On Diff #6925)

@smiley You make a good point but this phrasing makes the purpose of the processing clear. Inferring the ISP or the country of origin will usually be done for this specific case. Maybe we could write Enforce the Terms of Use, for instance where persons [...], in order to reduce the restrictiveness, but I don't have a strong opinion.

36 ↗(On Diff #6925)

"related" to the game, no?

51 ↗(On Diff #6925)

for consent to process data

77 ↗(On Diff #6925)

I have difficulties to understand the phrasing here (contrary to the rest of the document which is very clear). Is there a comma missing between legitimate interests and "balancing test" assessments? I'm not sure what "balancing test" refers to, actually 😕

Itms accepted this revision.Oct 15 2018, 10:02 PM

Sorry, I just googled what it is! Balancing test assessments are not called like this in GDPR itself, are they? I believe the missing piece is not a comma, but a "through" then.

This revision is now accepted and ready to land.Oct 15 2018, 10:02 PM
elexis added inline comments.Oct 16 2018, 3:45 PM
binaries/data/mods/public/gui/prelobby/common/terms/Privacy_Policy.txt
5 ↗(On Diff #6925)

That's a heading, so it looked too ugly to keep the reference

6 ↗(On Diff #6925)

See recent Terms of Use change:

  1. Not impersonate other users of the service and only use your registered username in multiplayer matches.

Just because people decided at the time to implement XMPP and XMPP doesn't have good moderation tools doesn't mean that XMPP servers or rooms can't have custom room policies restricting XMPP features that are implemented on the front and backend. Usually ToS are enforced by refusing the service, so things ought to be configured or implemented in ejabberd. There may be other chatrooms that you can use with the 0 A.D. XMPP client that allow nickchanges.

18 ↗(On Diff #6925)

My sentence missed the case where people create the Nth account without any of the existing ones having been banned prior. That's a common case as well.
"persons suspected of violating the ToS" is false, because the IP logs exists only for a specific reason, people creating unpermitted accounts, since all(?) the other ToS aspects are solved without the IP logs.

Actually stolen passwords may also be detected this way and the perpetrator may be identified. But they are probably covered by cyber-attacks and that has only occured in one or two cases so far, while creating a new accoutn after being banned is something very frequent and something that leaves us without the ability to enforce the ToU if we don't do it this way or a more difficult way (like not allowing chat until 20 hours of being online in the lobby, not allowing rated matches until 20 hours of played matches or something. Email registrations. Also it would log more but different data, so it's questionable whether it's better.).

If we have new use cases, we can add them later in a new revision (as long as the data up to this point is not processed for purposes incompatible).

19 ↗(On Diff #6925)

Since there are no definitions for balances and the balancing tests / legitimate interest assessments aren't giving a clear answer to retention times either, my stomach says two years max. On the forums they are stored forever it seems. Other moderators proposed longer retention times. There should be a filled out LIA test to justify that and then it may still be extended if it's deemed necessary and so forth.

32 ↗(On Diff #6925)

Notice that there is no retention time specified for chat messages, so the mentioned criteria have to be used to determine that time.

36 ↗(On Diff #6925)

Why not use present tense consistently?

51 ↗(On Diff #6925)

ack

70 ↗(On Diff #6925)

This document is in en-US and it quotes from en-UK. Going for US though.

75 ↗(On Diff #6925)

Ah, GDPR 11 part of the UserReporters Terms_And_Conditions, copied, pasted, deleted instead of adapted.

77 ↗(On Diff #6925)

legitimate interests "balancing test" assessments was picked from
https://static1.squarespace.com/static/57ff6b30bebafba9d10c7dcd/t/5a5f3336ec212d22697ba776/1516188471440/CII+Guidance+Notes+Legitimate+Interest+%27Balancing+Test%27+Assessment+Template+%281%29.pdf

Balancing test assessments are not called like this in GDPR itself, are they? I believe the missing piece is not a comma, but a "through" then.

The word balancing test is not defined in GDPR but is derived from the legitimate interest base article 6.1.f, Recital 47 and the Data Protection Directive standards. and GDPR 5 (accountability) stating that we get the burden of proof to demonstrate compliance with 6.1.f..
LIAs are different from DPIAs. So reducing to legitimate interest assessment and s/or/and.
The term LIA is very common, used by the ICO too, so people who will try to perform what is posted here, will figure it out if they try.

10 ↗(On Diff #6790)

Why would "x (for example y)" not be 'idiotproof'? (Coudln't find anything online)

Closed by commit rP21908: Lobby Privacy Policy. (authored by elexis, committed by ). · Explain WhyOct 16 2018, 3:52 PM
This revision was automatically updated to reflect the committed changes.
Owners added a subscriber: Restricted Owners Package.Oct 16 2018, 3:52 PM