0003712: The user isn't requested (informed) consent for their personal data to be collected/processed by servers

Notes
(0021031) WubTheCaptain (reporter) 2019-09-19 12:53	Quote The fact AllFearTheSentinel seems to be negligent of Regulation (EU) 2016/679 ("GDPR") is indifferent to Doomseeker. And the Zandronum master server banlist too, being publicly accessible and collecting more than IP-addresses.

(0021032) Filystea (reporter) 2019-09-19 16:10 edited on: 2019-09-19 16:11	Are you going to like inform user about every basic shit now? It's obvious that any server can collect your data. Actually someone who has no knowledge about it will find it suspicious.

(0021033) Blzut3 (administrator) 2019-09-19 21:01	Although as an American that's glad that the USA hasn't yet adopted GDPR, I personally agree with Filystea's thoughts. (I would elaborate on my opinion, but it's not relevant to this ticket.) Since the world doesn't revolve around my opinions, it probably wouldn't be a bad idea to add a GDPR notice to the first run. Of note however is that the GDPR does not apply to "personal activity" (https://gdpr-info.eu/art-2-gdpr/) which Zandronum may fall under. Especially since as of right now with Zandronum not being GPL it would (with IANAL caveat) be a violation of the license to sell data collected from it. But I don't know. The master server ban list point is likely moot since it's operated out of the USA and does not specifically target EU users. You could be right that European game servers should have a notice and as far as I know Doomseeker would be the best place to have a cover all notice. (Especially since I would assume most people don't think about legal things when starting a server there.) I'm not sure if Transmissions notice has anything to do with GDPR or just informing users how torrents work, but we'd probably need some similarly vague "You're entering private property, so assume everything you do is being recorded." In any case I leave it up to those who are affected by the law to determine what language is needed if any. I believe that's everyone on the team except me.

(0021034) WubTheCaptain (reporter) 2019-09-20 00:16	Off-topic notes. IANAL, caveat emptor. Quote from Blzut3 Especially since as of right now with Zandronum not being GPL it would (with IANAL caveat) be a violation of the license to sell data collected from it. The data output from a program isn't copyrighted under the same license as the program itself. Quote from Blzut3 The master server ban list point is likely moot since it's operated out of the USA and does not specifically target EU users. If an EU member state citizen visits America and shares personal data there (at the USA) for collection, that's not under the GDPR. Processing data from EU citizens is always under the GDPR, and collecting data from EU citizens while they're in the EU is under the GDPR. There's international treaties between the EU and the US, such as The EU–US Umbrella Agreement, for Europeans to access US courts for privacy and data protection concerns (juridical redressing). Quote from Blzut3 You could be right that European game servers should have a notice Any server that processes personal data from EU member state citizens. But that's what game servers should notify the user about, not us. Quote from Blzut3 I'm not sure if Transmissions notice has anything to do with GDPR or just informing users how torrents work The latter. I used it as an illustration for a short consent dialog. Quote from Blzut3 In any case I leave it up to those who are affected by the law to determine what language is needed if any. Since Doomseeker developers aren't controllers for that data, we don't know what's necessarily collected; I'm not going to expect full privacy statements from Doomseeker. The best that could be done is linking to each individual privacy statement from the default master servers, if we know of one. (Short of the master server itself advertising a privacy policy URL in a response.) Of course, I suppose the welcome dialog would need to be changed to only query master servers (enable engines) after consenting; even if we don't do the privacy statement thing.

(0021035) WubTheCaptain (reporter) 2019-09-20 00:38	Quote from WubTheCaptain The best that could be done is linking to each individual privacy statement from the default master servers, if we know of one. The preparedness of those master server operators for basic data protection laws is probably so shamefully awful, I think I'd be more inclined to skip this step anyway. Thus, my focus on the pseudo-consent dialog.

(0021036) Blzut3 (administrator) 2019-09-20 01:48	Quote from WubTheCaptain The data output from a program isn't copyrighted under the same license as the program itself. This is where things can potentially get a little hairy. By license Zandronum can not be used for commercial purposes. The meaning of this is kind of vague, but these kinds of restrictions on the use of output actually occurs in EULAs a lot. For example IDA Free does not permit disassembling a program and using that information to say create anti-virus definitions. Is it enforceable? I don't know, but certainly the spirit of the license would be that the program could not be used in the process of creating financial revenue. I've certainly heard lawyers make arguments that even having a donation link on this website would be a violation of a non-commercial license (this was in context of why projects like Debian can't include non-free software even if they wanted to). Quote from WubTheCaptain If an EU member state citizen visits America and shares personal data there (at the USA) for collection, that's not under the GDPR. Processing data from EU citizens is always under the GDPR, and collecting data from EU citizens while they're in the EU is under the GDPR. There's international treaties between the EU and the US, such as The EU–US Umbrella Agreement, for Europeans to access US courts for privacy and data protection concerns (juridical redressing). Based on the research I've done the key is market targeting. Since Zandronum is completely agnostic to its visitor's location: We don't run targeted ads (or any ads for that matter), we don't sell services in Euros (not that we could because of licensing), we don't have any keywords that would suggest connection to the EU, thus this site can operate concerning itself with only US laws. In effect you are visiting the US when you access zandronum.com services. Anyway, I'd rather not continue to pollute this ticket with these kinds of opinions. I'm happy to have a debate with you via email if you desire though.

(0021037) DrinkyBird (reporter) 2019-09-22 17:26	Hasn't Zandronum been in violation of the DPD since Skulltag gained multiplayer? Why is the GDPR any different? It's taken, like, nineteen years for anyone to care. Zandronum is too small for this problem to even exist in the first place. The GDPR was created to regulate large tech companies, and Zandronum isn't a large tech company, it's not even a legal entity - it's a source port for a 25 year old game, and any attempt to resolve this issue will just create effort for everyone and result in nothing. Either do nothing or add that Transmission-like popup: hosting servers costs me enough just for the machine; imagine the cost of the lawyer if I was required to provide a privacy policy that nobody's going to read.

(0021038) DrinkyBird (reporter) 2019-09-22 17:48 edited on: 2019-09-22 17:48	Quote The fact AllFearTheSentinel seems to be negligent of Regulation (EU) 2016/679 ("GDPR") is indifferent to Doomseeker. Not true, server hosts on TSPG (or AllFearTheSentinel as you called it) are no longer able to view player IPs due to GDPR. This is the most we could do considering we don't have the resources to fund a bunch of developers and lawyers to help redesign Zandronum.

(0021042) WubTheCaptain (reporter) 2019-09-22 19:43 edited on: 2019-09-22 19:57	Quote from AOSP Hasn't Zandronum been in violation of the DPD since Skulltag gained multiplayer? Why is the GDPR any different? It's not a problem with Zandronum per se, it's with server operators. Quote from AOSP The GDPR was created to regulate large tech companies Arguably to give the rights back to the users, because organisations and tech companies (especially large ones) didn't most often self-regulate with a directive. Quote from AOSP Either do nothing or add that Transmission-like popup I repeat it should not be a concern for Doomseeker how Zandronum server operators don't follow basic data protection laws, which only take a hour or two to accomplish without lawyers with all the guidance available from DPAs. A simple, short one paragraph consent dialogue like Transmission does would do fine to give the user a choice; use Doomseeker with online capabilities, or allow using Doomseeker offline (to start offline or LAN servers) while online features (master server querying) are disabled. Quote from AOSP Quote The fact AllFearTheSentinel seems to be negligent of Regulation (EU) 2016/679 ("GDPR") is indifferent to Doomseeker. Not true Re: accounts:'https://web.archive.org/web/20190919130355/https://allfearthesentinel.net/policies/privacy.php [^]'

(0021043) DrinkyBird (reporter) 2019-09-22 22:05	People are not going to spend "an hour or two" dealing with legal shit so they can shoot some twenty-five year old pixels. And I'm going to going to spend that time either considering that literally nobody ever reads the motd, and that even less people will give a shit about a privacy notice that will make no difference whatsoever - and let's be honest, won't be much good without professional consultancy. And I'm not sure what you're trying to prove by linking TSPG's privacy page? Were you expecting a beautifully written legal document? It explains as best it can. TSPG costs several hundred dollars out of pocket a month to run; we're not adding lawyer costs on top of that so one person can feel happy while reading what they knew already.

(0021044) WubTheCaptain (reporter) 2019-09-23 12:09 edited on: 2019-09-23 12:38	Thank you for confirming the concern is real in this issue, AOSP. I'm also at disposal on Zandronum IRC today if you want to debate about data protection further. (Which is ironic, because there's no data protection statement there either.)

(0021103) WubTheCaptain (reporter) 2020-01-19 15:08	I was now reminded that IP2C auto update is enabled by default and phones home to DRDTeam (the developers).

Only registered users can voice their support. Click here to register, or here to log in.
Supporters:	No one explicitly supports this issue yet.
Opponents:	No one explicitly opposes this issue yet.

Issue History
Date Modified	Username	Field	Change
2019-09-19 12:49	WubTheCaptain	New Issue
2019-09-19 12:50	WubTheCaptain	File Added: 2019-09-19-123924_maim.png
2019-09-19 12:53	WubTheCaptain	Note Added: 0021031
2019-09-19 12:54	WubTheCaptain	Description Updated	View Revisions
2019-09-19 16:10	Filystea	Note Added: 0021032
2019-09-19 16:11	Filystea	Note Edited: 0021032	View Revisions
2019-09-19 21:01	Blzut3	Note Added: 0021033
2019-09-20 00:16	WubTheCaptain	Note Added: 0021034
2019-09-20 00:16	WubTheCaptain	Status	new => acknowledged
2019-09-20 00:38	WubTheCaptain	Note Added: 0021035
2019-09-20 00:41	WubTheCaptain	Summary	The user isn't receiving informed consent of how their personal data may be collected/processed by servers => The user isn't giving informed consent for their personal data to be collected/processed by servers
2019-09-20 00:42	WubTheCaptain	Summary	The user isn't giving informed consent for their personal data to be collected/processed by servers => The user isn't giving (informed) consent for their personal data to be collected/processed by servers
2019-09-20 00:43	WubTheCaptain	Summary	The user isn't giving (informed) consent for their personal data to be collected/processed by servers => The user isn't giving (informed) consent for their personal data to be collected/processed by servers on initial configuration
2019-09-20 00:44	WubTheCaptain	Summary	The user isn't giving (informed) consent for their personal data to be collected/processed by servers on initial configuration => The user isn't requested (informed) consent for their personal data to be collected/processed by servers
2019-09-20 01:48	Blzut3	Note Added: 0021036
2019-09-22 17:26	DrinkyBird	Note Added: 0021037
2019-09-22 17:48	DrinkyBird	Note Added: 0021038
2019-09-22 17:48	DrinkyBird	Note Edited: 0021038	View Revisions
2019-09-22 19:43	WubTheCaptain	Note Added: 0021042
2019-09-22 19:44	WubTheCaptain	Note Edited: 0021042	View Revisions
2019-09-22 19:48	WubTheCaptain	Note Edited: 0021042	View Revisions
2019-09-22 19:57	WubTheCaptain	Note Edited: 0021042	View Revisions
2019-09-22 22:05	DrinkyBird	Note Added: 0021043
2019-09-23 12:09	WubTheCaptain	Note Added: 0021044
2019-09-23 12:09	WubTheCaptain	Note Edited: 0021044	View Revisions
2019-09-23 12:17	WubTheCaptain	Note Edited: 0021044	View Revisions
2019-09-23 12:17	WubTheCaptain	Note Edited: 0021044	View Revisions
2019-09-23 12:36	WubTheCaptain	Category	Documentation => UI
2019-09-23 12:38	WubTheCaptain	Note Edited: 0021044	View Revisions
2020-01-19 15:08	WubTheCaptain	Note Added: 0021103
2020-01-19 15:23	WubTheCaptain	Relationship added	parent of 0003732
2020-01-19 15:24	WubTheCaptain	Relationship replaced	related to 0003732