Jump to content

Mass Player Tracking Projects & Spying


Virtual

Recommended Posts

24 minutes ago, michaelk said:

According to GDPR, identifiers are PII and collecting/selling/distributing to third parties isn't okay.

IRL sure.. GDPR does not apply in a game and the number representing the player account is not an identifier IRL UNLESS you can link the number to the account identifier IRL (the email address) and the latter is not possible. The account number means nothing by itself outside of the game.

 

If someone collects data about which accountID under which character name visits which market at which time in the game and sells that data in game for whatever reason, that has absolutely zero relevance to GDPR.

Link to comment
Share on other sites

8 minutes ago, blazemonger said:

IRL sure.. GDPR does not apply in a game and the number representing the player account is not an identifier IRL UNLESS you can link the number to the account identifier IRL (the email address) and the latter is not possible. The account number means nothing by itself outside of the game.

 

If someone collects data about which accountID under which character name visits which market at which time in the game and sells that data in game for whatever reason, that has absolutely zero relevance to GDPR.

Why do you think GDPR does not apply in a game...? As I understand it, it applies across the board to all handling of data no matter the medium -- if the user is a resident of the EU or if the company is based in the EU. It only doesn't apply for companies outside the EU whose customers are also outside the EU. 

 

It doesn't matter if the identifier ties back to a person IRL. That's not what GDPR says. 

 

Reference the source material I linked in my previous post -- a unique identifier is PII if it can be used to differentiate one person from another, no matter if you can determine that person's real life identity!

 

There's nothing under GDPR that says PII must tie back to an email or name. Character names, social media handles, primary key IDs...these are all considered PII because they fall under the definition of a unique identifier. That the account number "has no meaning" outside the game doesn't matter per the definition of the law. 

Link to comment
Share on other sites

28 minutes ago, michaelk said:

Why do you think GDPR does not apply in a game...? As I understand it, it applies across the board to all handling of data no matter the medium -- if the user is a resident of the EU or if the company is based in the EU. It only doesn't apply for companies outside the EU whose customers are also outside the EU. 

It does not apply in game because a character is not a real person and with the data available in game you can't trace back to a RL person. So the data is not personal data as defined under GDPR. Only when you can link the in game data to the personal data IRL (the email address) would it fall under GDPR.

 

  

28 minutes ago, michaelk said:

a unique identifier is PII if it can be used to differentiate one person from another, no matter if you can determine that person's real life identity!

That is correct, yes. That said though, only if you are able to identify an individual either directly or indirectly, GDPR will apply and with the in game ID alone that is not possible.

 

If you can tell me the name of 123456789 then yes, this is covered by GDPR.

Link to comment
Share on other sites

2 minutes ago, blazemonger said:

It does not apply in game because a character is not a real person and with the data available in game you can't trace back to a RL person. So the data is not personal data as defined under GDPR. Only when you can link the in game data to the personal data IRL (the email address) would it fall under GDPR.

It doesn't matter if the character is a real person or not. It doesn't matter if the player ID is "useless" and can never be associated to a real person. 

 

Let's go back to the ICO explanation:

Quote

An individual’s social media ‘handle’ or username, which may seem anonymous or nonsensical, is still sufficient to identify them as it uniquely identifies that individual. The username is personal data if it distinguishes one individual from another regardless of whether it is possible to link the ‘online’ identity with a ‘real world’ named individual.

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/what-is-personal-data/what-are-identifiers-and-related-factors/#pd3

 

The fact that player ID distinguishes one individual from another is sufficient to classify it as PII in this context. 

 

It might not seem logical or even reasonable, but that's what the law says. ?‍♂️

Link to comment
Share on other sites

21 minutes ago, michaelk said:

The fact that player ID distinguishes one individual from another is sufficient to classify it as PII in this context. 

 

What you are overlooking here is that in all cases defined the identifier is _directly_ linked to a person and IRL. Neither is the case in game.

 

"The UK GDPR provides a non-exhaustive list of common identifiers that, when used, may allow the identification of the individual to whom the information in question may relate.""

 

So, when you see 123456789 came in range of a detector in game, does that allow you to identify the person this number relates to? If so, then you are correct.

If you can tell me the name of the player behind character "MisterX" who used the elevator at Market17 at 9:15PM today you have a point.

 

But there clearly is little point in discussing tis argument as you think you are correct and I know I am ;)

 

 

Link to comment
Share on other sites

4 minutes ago, blazemonger said:

But there clearly is little point in discussing tis argument as you think you are correct and I know I am ;)

I'd love to have the confidence to "know" I'm right despite a mess of articles and explanations that say otherwise. More power to you. 

 

Here's another source, specific to game dev, which says exactly the same thing the ICO website says and a mess of other sources say: 

Quote

This means that not only is personally identifiable information like the user’s name, email address, or device ID (IDFA/GAID) personal data, but any data we can associate with one person, even if we cannot identify that person in the real world.

The most important consequence of this is that any data associated with one individual (or an ID referring to one individual, even if it is a randomly generated ID) is personal data – including actions they have taken in a game, such as starting the tutorial, picking a character, beginning or ending a session.

https://gameanalytics.com/gdpr-faq/

 

You can believe whatever you want -- but it isn't very convincing without sources that support your assertion.

Link to comment
Share on other sites

18 hours ago, blazemonger said:

Besides the fact you are way out of scope for the intent of this regulation, it does not apply this way. Your in game name as wel as the numeric code representing your account is not something that can be used to trace back to you as an individual UNLESS you yourself reveal this information.

No, that doesn't matter.  An IP address is considered personally identifiable information and that can't be used by an arbitrary person to trace back to me.  It is personally identifiable information if it can't be used by *somebody else*.  If there is only one person using something it's personally identifiable.

Similarly my credit card number is personally identifiable because it's mine and nobody else uses the same number.  But if you have it you can't trace it back to me.  Again, it doesn't matter.  It's a number only used by me so it's personally identifiable.

 

 

18 hours ago, blazemonger said:

That there is only one RL person using that specific in game name (which is not always the case) is not what makes it personally identifiable information as the number in game nor the in game character name could be used to directly trace back to you as a RL person.

Yes it is.  Go read the relevant laws.  And it is always the case that the intended use of the in-game name is for one RL person (go see the EULA).  Sure, two people could *pretend* to be one person or someone could hack the account, but that's true of literally any piece of information about someone including their name and address.  It's still personally identifiable information.  Somebody somewhere knows how to map it back to me.  Even if that someone is me!

 

 

18 hours ago, blazemonger said:

Your IGN or account number in game is not  "personal data" as it is not "‘any information relating to an identified or identifiable natural person". It would only be personal data when combined with your email address which is the real world counterpart of the in game account number. And that link is protected by the NQ account system and it is NQ's responsibility to ensure that stays protected. Without the email address, the number means nothing. If you yourself reveal both as being linked, that does not constitute a GDPR breach by NQ.

Not true.  If the IGN is mine then clearly it identifies me.  If you see me twice in game two weeks apart you know that you saw the same person twice in game.  And you know you saw the person writing this comment.  That identifies me.  There is no requirement for you to be able to map me back to a real world person.

 

 

18 hours ago, blazemonger said:

Besides that, before gaining access to the servers you consent to the game's privacy policy which covers this as well so there is nothing here.

I'm pretty sure the game's privacy policy doesn't say that arbitrary players might use the game to collect personally identifiable information about me and my real life activities and share it both inside and outside of the game for profit.  So no, I didn't agree to it being collected and stored for that purpose.  Sure, it's unlikely anyone will actually care but anyone who, for example, collects information via a progboard, exports it outside of the game with my in game name or ID number and stores that somewhere needs to ask my permission first in quite a lot of countries.  And in a lot of them they need to state what they're storing, how long for and what they will use the information for.

 

 

18 hours ago, blazemonger said:

If someone sets up a system in game to get information on visiting patterns for a market (which really is all this is, if it is the case as assumed by OP) that woud not constitute a privacy breach in RL nor in game.

Not if they only store aggregate information.  I actually think that's a great bit of emergent gameplay and I'd like to see some of the stats.  But from the original article it sounds like they're using this to do things like help orgs screen people who apply.  And that means they have a record somewhere with my in game name on it and a bunch of other information about me stored ( a list of orgs they've seen me being a member of, for example).  They need to be careful about that because they might be breaking real world laws and at some point some computer nerd will get cross about being refused entry to an org and start making trouble for them.

 

18 hours ago, blazemonger said:

 

  

As long as NQ does not reveal the player's email address through the coming API (and there is no reason to do so), there is no issue here. players are identified in game by a number which by itself can't be used to trace back to the RL person owning the account for that player.

 

Again, not true.  If you don't believe me go look it up.  That's like saying it's OK for me to store a log of IP addresses accessing a website because there is no way to tell who is behind those addresses.  All that matters is that there is only one individual who is associated with the information being stored.  Me.  The player using the name.  
 

Link to comment
Share on other sites

10 hours ago, michaelk said:

Except in this case this is actually illegal IRL, at least according to GDPR....

When that was being discussed, it was under the laws of the USA, not EU. I admit that I know little about the GDPR, but I do know the US laws are woefully behind EU laws where this is concerned.

 

I think I will read your links to at least gain knowledge in comparison.

 

Link to comment
Share on other sites

11 hours ago, Deintus said:

When that was being discussed, it was under the laws of the USA, not EU. I admit that I know little about the GDPR, but I do know the US laws are woefully behind EU laws where this is concerned.

 

I think I will read your links to at least gain knowledge in comparison.

 

The USA has no federal PII laws -- it's a patchwork of state regulations (some of which are very similar to GDPR). 

 

GDPR does apply to people in the states if they collect and process data on EU citizens. (Source: https://gdpr.eu/compliance-checklist-us-companies/

 

It's a violation of several points in the EULA/code of conduct since you agree to abide by applicable privacy laws. 

 

I think it is mad clever and a great nugget of emergent gameplay...but people do have rights and GDPR exists for a reason. Is it paranoid whining? Well, GDPR is supposed to be paranoid. 

 

Imagine someone buys a list of all known player names, then writes a bot to spam users with matching handles on social media. They could conduct a phishing campaign by impersonating NQ, steal game credentials, etc...if DU did have millions of players, this would be a no-brainer for a criminal of moderate skill. 

 

Data is a powerful tool that can be exploited in ways that aren't always apparent at first...that's why GDPR exists. 

Link to comment
Share on other sites

3 hours ago, michaelk said:

Data is a powerful tool that can be exploited in ways that aren't always apparent at first...that's why GDPR exists. 

In this instance isn't it the other way around? The fellow complaining is a US citizen and the collector may or may not also be a US citizen? I am fairly certain that California Michigan and Florida of the US have the closest laws to GDPR. North Carolina for instance doesn't. Then you get into that nasty "prosecution across state lines" thats why so many scams are based in a handful of states because they inadvertently protect the criminals from the victims.

 

Unless there is some bylaw I missed, it seems even if the server were in France it would not apply.

 

Here is something of note, unless there has been a new treaty I am unaware of, citizens of certain countries, Russia for example, can do whatever they wish. No extradition laws. Most popular example I can think of were the Sochi 14 games.

 

I know it's gotten a bit off topic but I do find this a nice discussion. Especially after compared with earlier ones.

Link to comment
Share on other sites

10 minutes ago, Deintus said:

I know it's gotten a bit off topic but I do find this a nice discussion. Especially after compared with earlier ones.

Right? ? It's a really interesting topic -- games will have to consider privacy laws nowadays, especially those with APIs. 

 

If the party processing the data has a "presence" in the EU they do have to adhere to GDPR, so that would include NQ as an entity. 

 

The person complaining might not have rights under GDPR, but if these beacons are sucking up data for even one EU citizen, that's a GDPR issue. With the patchwork of state legislation, it is much easier to implement GDPR across-the-board. 

 

This is something that NQ is (likely) liable for because they are effectively giving this data to third parties. 

Quote

A third-party processor not in compliance means your organization is not in compliance.

 

Link to comment
Share on other sites

3 hours ago, michaelk said:

This is something that NQ is (likely) liable for because they are effectively giving this data to third parties. 

How do you think it would work reversed? Like if say.. a german citizen had identifiable info pulled from him and sold to a third party advertiser, BUT both the server and the advertising spam companies reside in the US? I know we have treaties, but not sure if the GDPR could be enforced since hidden clauses are uber popular with US companies.

 

2 hours ago, Burble said:

when poor connection help you to learn the mysteries of the universe ?

dualuniverse_2021-01-29_12h02m58s.png?wi

 

Ha! What happened there?

Link to comment
Share on other sites

5 minutes ago, Deintus said:

How do you think it would work reversed? Like if say.. a german citizen had identifiable info pulled from him and sold to a third party advertiser, BUT both the server and the advertising spam companies reside in the US? I know we have treaties, but not sure if the GDPR could be enforced since hidden clauses are uber popular with US companies.

Not easily -- but they have avenues through international treaty, especially between US/EU. GDPR supersedes any clause hidden in the terms of use when it comes to EU citizens. 

 

Honestly, NQ would probably be the party that receives the fine -- they're the ones that own the data and it is their obligation to make sure their users abide by GDPR. I don't think there's ever been a case where the EU fines an individual for GDPR violations...random gamers probably don't have anything to worry about....but NQ? They maybe should. 

 

Chances are good they could ignore it and there'd never be a problem...but if there was a breach (see my phishing description above) they'd be in trouble.

Link to comment
Share on other sites

2 hours ago, Deintus said:

 

 

Ha! What happened there?

internet was going real slow and one of the spy bird boxes loaded elements in before honeycomb, giving us a glimpse into the interior of this controversial device. Seems like a lot of fuss over a PB and a sensor.

Link to comment
Share on other sites

13 hours ago, Burble said:

internet was going real slow and one of the spy bird boxes loaded elements in before honeycomb, giving us a glimpse into the interior of this controversial device. Seems like a lot of fuss over a PB and a sensor.

I see now lol. So no aliens involved or tin foil hats required.

 

Link to comment
Share on other sites

? Welcome in Dual Universe , The knowledge is the power.

With this informations he can sell information to other Org, it's not a crime it's juste a constructor of playerdatabase to know people.
Dual Universe is constructed by players and if we played DU and not Star Citizen it's for the LUA.

 

Link to comment
Share on other sites

OK, let's do this.

 

Hi, I'm Oxdale, Founder and Associate at Huginn & Muninn Associates. I'm also the founder of the Old Guard of Gaia (this detail is important), an organisation for which I took a back seat some month ago (burn out), but the OGG values are still alive !

 

I made and deployed the BIRD. This is not my main service but an experimental system I'm still working on.

 

The goal :
As I said, I found the Old Guard of Gaia, whose values are independance, balance, immersion and respect. My ultimate goal is to live in an immersive world, where relations between "evil"&"good", "PvP"&"Carebear", "Casual"&"Hardcore", ... are balanced and sustainable on the long term, and where players have respect even if characters can spit on each other with a smile. It has always been my motivations. You can find my interventions on this forum, long before I even have the idea of Huginn&Muninn.

 

The idea :
I'm developing a service to help organization and any players to protect themselves against scammers, freePK, trolls, thieves, serial-org-quitters and every toxic behavior we could find. Because currently, those action can be made with full impunity and it's nearly impossible to prevent this. I'm trying to find a way. 

 

And thus, this is not a surprise some dislikes this service. Choose your side.

 

The service : 
It is a paid service, indeed. Because I need to pay fuel, scrap, cells and spare elements of my ship. But I told all my current clients that friendship, safe shelter, fuel&repairs and visits is a sufficient payment for me. Information is also a kind of payment I accept with great pleasure.I don't care earning money, I just want to explore and make contacts with the noveans (also an OGG concept). Furthermore, trading allows me to fly my ship. 

 

I wanted it independant from any organization because it's not a domination tool. On the contrary, it is a leveling tool. But don't be fooled : big organization has the same, and probably more. I'm here also for the little ones.

 

The code : 
The BIRD are running strictly the same code you can find around any serious base or ship around and I'm still developing it to consume less and less resources, regarding the heavy limitations NQ already enforce for Lua scripts, especially around markets (Alioth ...). Believe me, I don't like cluttered market neither, so I made it, I hope, quite aesthetic, small, immersive and not on the paths. Moreover, the script is just an on/off run, it does not last more than 500ms.

 

Everything I read about what I can do with Lua is really pure fantasy. This is a basic piece of code. All the refinements are for ingame performance and exploitation.

 

 

 

Now some reactions to what I read here : 

 

First point : if I wanted to spy, I won't describe Huginn&Muninn Associates as an intelligence and security agency, this is in the public description from the beginning. And, obviously, I wouldn't put this as a full white pillars with crows from a Huginn&Muninn org (any simple research on Google would give you a lot of hints). If I was an evil hidden spy, I would do like some others already do : put "trade", "recruitment", "mission" or "get fuel" booth and hide sensors, or just land a little speeder with some code in it. There are so many ways to hide it visually (even if it would have been detected in the Lua channel tab). I chose to show it with some elegance.

 

Second point : some are surprised Lua is executing code on their pc. It's how Lua  works, and how it is working in DU from the beginning. And news for them : same for every single line of javascript on a web page. And there are A LOT of it, and far more harmful than gather avatar ids in a video game.

 

Third point : This is an emergent gameplay. If NQ doesn't consider it the same, no problem. I'll do something else.

 

I won't intervene anymore in this thread because I think I've written all of it. But I would be glad to chat on Discord with you about this.

 

Link to comment
Share on other sites

On 1/30/2021 at 12:24 PM, Oxdale said:

Second point : some are surprised Lua is executing code on their pc. It's how Lua  works, and how it is working in DU from the beginning. And news for them : same for every single line of javascript on a web page. And there are A LOT of it, and far more harmful than gather avatar ids in a video game.

 

Third point : This is an emergent gameplay. If NQ doesn't consider it the same, no problem. I'll do something else.

 

I won't intervene anymore in this thread because I think I've written all of it. But I would be glad to chat on Discord with you about this.

 

It's never been a question of intent or even application.

 

It isn't about "not liking" these boxes or some paranoid rant about the intent behind them. Personally, I think it is a brilliant facet of emergent gameplay. The merit of this data logging isn't really the issue for me.

 

The question (for me): "is this legal under GDPR?". Specifically, logging a player name and then giving or selling that data to third parties. This is a question NQ needs to understand and answer.

 

This is a question that will not go away, especially as other games offer in-game APIs or as DU grows (if it grows). 

 

Having a valid player name might seem like it is "completely useless" and has no relation to the real world -- or that anonymous data mined by javascript like Google Analytics is "more harmful" -- it isn't that simple! 

 

It can and will eventually lead to real-world phishing. That's why privacy laws exist...because companies like NQ don't always think about how clever criminals can abuse data they give away freely to run highly targeted scams. 

 

Let's pretend it isn't even DU. Some other MMO launches with a similar model and is highly successful. A player creates a similar logging system using in-game tools: they store player names and the last time they were recorded -- that's it.

 

They sell this data for in-game currency.

Someone buys or farms a huge list of two million player names and last active time.

They create a bot that adds common email TLDs to every user name (@gmail, @yahoo, etc.) and scans social media for matching handles. 

They spam everyone on the list with messages and emails that look like they originate from the game studio. They don't care if the match rate is horrible because they have 2 million records and already know enough about those people to create a targeted, compelling campaign. 

By spoofing the studio's login pages, they gain credentials and start selling off compromised game accounts. Or worse, they collect and sell credit card information or other PII. 

 

Only then would the game studio face complaints and GDPR fines for not complying with the law...

 

Will this ever happen to DU? Probably not unless they magically explode their player base. But it will happen to some game studio eventually, especially if the idea of in-game coding for content generation keeps gaining traction. 

Link to comment
Share on other sites

https://gdpr-info.eu/issues/personal-data/

 

Quote

The term ‘personal data’ is the entryway to the application of the General Data Protection Regulation (GDPR). Only if a processing of data concerns personal data, the General Data Protection Regulation applies. The term is defined in Art. 4 (1). Personal data are any information which are related to an identified or identifiable natural person.

 

Link to comment
Share on other sites

On 1/26/2021 at 11:13 PM, GraXXoR said:

Imma jus' gonna stop you there fella'...

 

OP said nothing about embedding code in a player... And where the actual f... did you get the idea that someone took out MP15 "with this type of code"

That's some serious imagination you got there...

Unbridled extrapolation and crowbarring irrelevant shit like NQ's RDMS error on MP15 into an argument about data gathering is how groups like QAnon get their first toehold...

Shit may have got real but your arguments are anything but.


 


And... BOOM... now we have the expected ignorant, kneejerk personally-offended redneck responses...    Just like Newsmax.

This needs to be nipped in the bud.

 

  • The game does NOT allow you to "Plant" LUA on someone.

 

A sensor can be used to detect the presence of a player or construct.
This is usually for automation, such as a sliding door, activating a screen or switching on lights.

 

However, it can also store a timestamp and the ID of a player. THAT IS ALL...  

 

  • It can't tell what you're doing. It can't read the contents of your Nanopack.

 

The MP15 was disassembled by players. No LUA was used.

 

However, as with everything NQ, they turned a minor and somewhat amusing mistake (In a game labelled BETA that is still actually ALPHA)  into a catastrophy of biblical proportions as only JC can manage.


Why?

 

NQ amusingly banned paying customers for disassembling MP15 due to applying poor RDMS permissions, to much fanfare and handwaving.   No LUA was used.

This would have been pretty much kosher were it not for the even more amusing fact that NQ had just days before EXPLICITLY stated that RDMS settings are 100% the responsibility of the owner and that they, NQ, would point blank refuse to assist players who had had their shit stolen by other players playing the game since it was basically their own stupid fault for not learning how to use the RDMS.  Yet when NQ made a mistake, they treated as a personal attack and went into super-defensive mode with "surgical precision" in punishing the miscreants. Banning them from the game. Much like their response to the people that bought schematics mistakenly sold for a 99% discount... oh wait. 
 

This reminds me of the lady on the news about 45-65 years old saying "they" were beaming covid into us by satellites..... A. Who is "they"? B. If we had tech that amazing people like her would most likely already be reprogramed... C. Amazing a bio can be beamed from space!!!

 

My daughter plays Roblox.... they have fake hacker groups spin up.... all these young kids go bananas over getting hacked and some of the rents buy into it as well LOL getting hacked on a video game full of kids...... now what is brilliant is are most likely the same kids or ones not remotely involved with them in anyway capitalizing on their YouTube channels by saying they were hacked subs go up by the thousands and views???? hundreds of thousands in weeks!!!!

 

There is always a boogieman to explain away things that people dont understand..... brilliant way to get the masses chirping....

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...