Jump to content

Mass Player Tracking Projects & Spying


Virtual

Recommended Posts

9 minutes ago, RhajaZola said:

There is always a boogieman to explain away things that people dont understand..... brilliant way to get the masses chirping....

Sure, but there's a big difference between baseless conspiracy and concern over data privacy and governance. 

 

That there are bad actors lurking everywhere eager to abuse and exploit data isn't a conspiracy, it's a fact

 

GDPR is really clear about what data is protected. There's been multiple explanations written about how it applies to game data, including player names. No court would buy the argument that these data are "not related to natural persons" because it is logging the activities of an "avatar" vs. a person. That's not what the law says and various entities that specialize in collecting game analytics agree. 

 

There are actual reasons to keep this data protected...beyond it being the legal requirement for EU citizens where GDPR applies. 

 

I'm sure no one will care and most people think it is paranoid.

 

I'm also sure that someday an API like this will be involved in GDPR lawsuits or fines or brute force attacks that further compromise PII. 

 

Link to comment
Share on other sites

1 hour ago, michaelk said:

Sure, but there's a big difference between baseless conspiracy and concern over data privacy and governance. 

 

That there are bad actors lurking everywhere eager to abuse and exploit data isn't a conspiracy, it's a fact

 

GDPR is really clear about what data is protected. There's been multiple explanations written about how it applies to game data, including player names. No court would buy the argument that these data are "not related to natural persons" because it is logging the activities of an "avatar" vs. a person. That's not what the law says and various entities that specialize in collecting game analytics agree. 

 

There are actual reasons to keep this data protected...beyond it being the legal requirement for EU citizens where GDPR applies. 

 

I'm sure no one will care and most people think it is paranoid.

 

I'm also sure that someday an API like this will be involved in GDPR lawsuits or fines or brute force attacks that further compromise PII. 

 

But its just an in game thing..... to a character not owned by the player. No real data is collected that can cause harm.... I don't know LUA... but if someone can make a script to collect your in game data im willing to bet there is a smart guy or gal out there that can script a privacy script to become a ghost to these things..... the million dollar a day idea.... please send me 10 percent!!

Link to comment
Share on other sites

19 minutes ago, RhajaZola said:

But its just an in game thing..... to a character not owned by the player. No real data is collected that can cause harm.... I don't know LUA... but if someone can make a script to collect your in game data im willing to bet there is a smart guy or gal out there that can script a privacy script to become a ghost to these things..... the million dollar a day idea.... please send me 10 percent!!

No data that can cause harm...?  ?As NQ has no doubt discovered, people are creative when it comes to exploits. :D 

 

It currently isn't possible to block these methods -- it isn't about being smart, it is about what API methods and settings NQ makes available. 

  1. You could use player names to match against social media handles and emails 
    Most people don't use the same player name as their social media handle or email. As a scammer, I don't care about "most people". If I have a crapload of records, I'm looking for gems. It's a numbers game with exploits and DU is protected because the numbers are somewhat low. If DU had 2 million players, this would be a no-brainer. Take every player name. Add common TLDs like "@gmail.com". Easy. 
     
  2. You could phish by impersonating NQ
    If I have a list of emails/social media handles (even a small list), I can create a targeted phishing campaigns to try to compromise your account, other PII, or financial information. If you receive a random spam email, you don't even look at it. Receiving something that looks like it is from NQ? It speaks to you because it is personalized -- even a tiny amount of context is valuable for scammers. Would you fall for it? I don't care, it's a numbers game and I have thousands of records. Someone will fall for it. 

This is exactly why laws like GDPR exist -- people are damn creative when there's a buck to be made...and it means being vigilant against every cybercriminal on the planet. 

 

Also (and I hate to pitch this philosophy) but it doesn't really matter if the data can cause harm or not -- GDPR still applies to EU citizens no matter how worthless it seems...so long as it falls into the criteria of PII (which I've already talked way too much about why a player name does count).

 

TLDR: don't use a character name that is remotely similar to a real life email or social media handle

Link to comment
Share on other sites

The term ‘personal data’ is the entryway to the application of the General Data Protection Regulation (GDPR). Only if a processing of data concerns personal data, the General Data Protection Regulation applies. The term is defined in Art. 4 (1). Personal data are any information which are related to an identified or identifiable natural person.

The data subjects are identifiable if they can be directly or indirectly identified, especially by reference to an identifier such as a name, an identification number, location data, an online identifier or one of several special characteristics, which expresses the physical, physiological, genetic, mental, commercial, cultural or social identity of these natural persons. In practice, these also include all data which are or can be assigned to a person in any kind of way. For example, the telephone, credit card or personnel number of a person, account data, number plate, appearance, customer number or address are all personal data.

 

So if a name is in a certain place at a certain time from a French company that makes it possible, where EU citizens have access to, then it is already established by law that this is a natural person we are talking about. 

 

Furthermore: 
- How long will the data be kept? A look at Article 11.

 

Quote

1. If the purposes for which a controller processes personal data do not or do no longer require the identification of a data subject by the controller, the controller shall not be obliged to maintain, acquire or process additional information in order to identify the data subject for the sole purpose of complying with this Regulation.


2. 2. Where, in cases referred to in paragraph 1 of this Article, the controller is able to demonstrate that it is not in a position to identify the data subject, the controller shall inform the data subject accordingly, if possible. In such cases, Articles 15 to 20 shall not apply except where the data subject, for the purpose of exercising his or her rights under those articles, provides additional information enabling his or her identification.

Article 15 is interesting too :

 

Quote

1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
=> Article: 12

(a) the purposes of the processing;

(b) the categories of personal data concerned;

(c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
=> Dossier: Disclosure

(d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
=> Dossier: Deletion

(e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
=> Dossier: Correction, Limitation Of Processing, Deletion, Objection

(f) the right to lodge a complaint with a supervisory authority;
=> Dossier: Complaint

(g) where the personal data are not collected from the data subject, any available information as to their source;

(h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

 

The whole articles can be read here: https://www.privacy-regulation.eu/en/article-15-right-of-access-by-the-data-subject-GDPR.htm

 

Just because a few people don't care doesn't mean it doesn't matter. This is not about tin foil hats but about your rights as an EU citizen. If someone thinks they have to violate them and doesn't secure the legal cover, then we have a problem. I have nowhere given my consent for you to use this with my data.

 

Edit: 

TLDR: A French company allows a player to collect data on other EU citizens (players) without them knowing what is happening to them or being able to object and the EU players never had an opportunity to press somewhere "I Agree".

Link to comment
Share on other sites

8 hours ago, SirJohn85 said:

Just because a few people don't care doesn't mean it doesn't matter. This is not about tin foil hats but about your rights as an EU citizen. If someone thinks they have to violate them and doesn't secure the legal cover, then we have a problem. I have nowhere given my consent for you to use this with my data.

 

Edit: 

TLDR: A French company allows a player to collect data on other EU citizens (players) without them knowing what is happening to them or being able to object and the EU players never had an opportunity to press somewhere "I Agree".

I don't understand why people think that data governance is paranoia.

 

Don't be naive! 

 

"Oh that's not important, no one can use that for harm!". Yes, they can...and the law doesn't let you decide that case-by-case. 

 

It's baffling because part of NQ's job is game design -- understanding how people exploit systems for personal gain is kind of their wheelhouse? 

 

You think the situation I've outlined is obscure and unlikely? Great, so do I...that still means it is a viable attack vector.

 

There's a long list of companies that have learned the hard way that even obscure vectors eventually get exploited...how many cases have there been where corporations have been warned about an insecurity well before it was exploited, but didn't bother to do anything...? They probably thought it was paranoid, too -- that the risk was so low it didn't matter.

 

A lawsuit or exploit from a game API like this will materialize at some point. It might not be with DU, but it will happen.

Link to comment
Share on other sites

5 minutes ago, michaelk said:

I don't understand why people think that data governance is paranoia.

 

Don't be naive! 

 

"Oh that's not important, no one can use that for harm!". Yes, they can...and the law doesn't let you decide that case-by-case. 

 

It's baffling because part of NQ's job is game design -- understanding how people exploit systems for personal gain is kind of their wheelhouse? 

 

You think the situation I've outlined is obscure and unlikely? Great, so do I...that still means it is a viable attack vector.

 

There's a long list of companies that have learned the hard way that even obscure vectors eventually get exploited...how many cases have there been where corporations have been warned about an insecurity well before it was exploited, but didn't bother to do anything...? They probably thought it was paranoid, too -- that the risk was so low it didn't matter.

 

A lawsuit or exploit from a game API like this will materialize at some point. It might not be with DU, but it will happen.

I don't know why you're getting so upset. People didn't care when Snowden showed the world that they were being monitored.And before that, people were called lunatics who had already predicted it. But that also misses the point of this post.

 

What I actually want to say is:
Just because some don't want to make use of their rights doesn't mean that others don't want to. 

Link to comment
Share on other sites

1 hour ago, SirJohn85 said:

I don't know why you're getting so upset. People didn't care when Snowden showed the world that they were being monitored.And before that, people were called lunatics who had already predicted it. But that also misses the point of this post.

 

What I actually want to say is:
Just because some don't want to make use of their rights doesn't mean that others don't want to. 

Yeah I agree 100%, I hope it is clear that my post was aimed at the people calling it "tin foil hat wearing paranoid" :D 

 

And yeah, it isn't like any of this compliance is optional....NQ made the API, they have an obligation to understand and abide by GDPR (and CCPA, etc.) 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...