MantisBT - Doomseeker
View Issue Details
0003712DoomseekerUIpublic2019-09-19 12:492020-01-19 15:24
WubTheCaptain 
 
nonefeatureN/A
acknowledgedopen 
1.3 
 
0003712: The user isn't requested (informed) consent for their personal data to be collected/processed by servers
For a while now, I've been reminded of that popup in Transmission and thought, "hey, Doomseeker doesn't have something similar for personal data shared to servers."
I'm quite sure servers running on engines supported by Doomseeker collect and process quite a bit of personal data, including:
  • IP address
  • Chat messages
  • Player name
  • (GeoIP country)

The legal basis is probably legitimate interests. The fact AllFearTheSentinel seems to be negligent of Regulation (EU) 2016/679 ("GDPR") is indifferent to Doomseeker.
Master servers may also collect or process personal information.
Maybe we could help a little bit with that, at least as far as it goes for the primary feature of Doomseeker (contacting master servers). As far as I know, the "Welcome to Doomseeker" first time configuration popup makes no mention of this and queries master servers immediately without the user's acceptance. Or at least disclaim Doomseeker developers don't operate (all) the master servers or game servers.
No tags attached.
related to 0003732new  No build-time configuration to disable IP2C auto updates (phoning home) 
png 2019-09-19-123924_maim.png (11,548) 2019-09-19 12:50
https://zandronum.com/tracker/file_download.php?file_id=2504&type=bug
png
Issue History
2019-09-19 12:49WubTheCaptainNew Issue
2019-09-19 12:50WubTheCaptainFile Added: 2019-09-19-123924_maim.png
2019-09-19 12:53WubTheCaptainNote Added: 0021031
2019-09-19 12:54WubTheCaptainDescription Updatedbug_revision_view_page.php?rev_id=12836#r12836
2019-09-19 16:10FilysteaNote Added: 0021032
2019-09-19 16:11FilysteaNote Edited: 0021032bug_revision_view_page.php?bugnote_id=21032#r12838
2019-09-19 21:01Blzut3Note Added: 0021033
2019-09-20 00:16WubTheCaptainNote Added: 0021034
2019-09-20 00:16WubTheCaptainStatusnew => acknowledged
2019-09-20 00:38WubTheCaptainNote Added: 0021035
2019-09-20 00:41WubTheCaptainSummaryThe user isn't receiving informed consent of how their personal data may be collected/processed by servers => The user isn't giving informed consent for their personal data to be collected/processed by servers
2019-09-20 00:42WubTheCaptainSummaryThe user isn't giving informed consent for their personal data to be collected/processed by servers => The user isn't giving (informed) consent for their personal data to be collected/processed by servers
2019-09-20 00:43WubTheCaptainSummaryThe user isn't giving (informed) consent for their personal data to be collected/processed by servers => The user isn't giving (informed) consent for their personal data to be collected/processed by servers on initial configuration
2019-09-20 00:44WubTheCaptainSummaryThe user isn't giving (informed) consent for their personal data to be collected/processed by servers on initial configuration => The user isn't requested (informed) consent for their personal data to be collected/processed by servers
2019-09-20 01:48Blzut3Note Added: 0021036
2019-09-22 17:26AOSPNote Added: 0021037
2019-09-22 17:48AOSPNote Added: 0021038
2019-09-22 17:48AOSPNote Edited: 0021038bug_revision_view_page.php?bugnote_id=21038#r12842
2019-09-22 19:43WubTheCaptainNote Added: 0021042
2019-09-22 19:44WubTheCaptainNote Edited: 0021042bug_revision_view_page.php?bugnote_id=21042#r12848
2019-09-22 19:48WubTheCaptainNote Edited: 0021042bug_revision_view_page.php?bugnote_id=21042#r12849
2019-09-22 19:57WubTheCaptainNote Edited: 0021042bug_revision_view_page.php?bugnote_id=21042#r12850
2019-09-22 22:05AOSPNote Added: 0021043
2019-09-23 12:09WubTheCaptainNote Added: 0021044
2019-09-23 12:09WubTheCaptainNote Edited: 0021044bug_revision_view_page.php?bugnote_id=21044#r12852
2019-09-23 12:17WubTheCaptainNote Edited: 0021044bug_revision_view_page.php?bugnote_id=21044#r12853
2019-09-23 12:17WubTheCaptainNote Edited: 0021044bug_revision_view_page.php?bugnote_id=21044#r12854
2019-09-23 12:36WubTheCaptainCategoryDocumentation => UI
2019-09-23 12:38WubTheCaptainNote Edited: 0021044bug_revision_view_page.php?bugnote_id=21044#r12855
2020-01-19 15:08WubTheCaptainNote Added: 0021103
2020-01-19 15:23WubTheCaptainRelationship addedparent of 0003732
2020-01-19 15:24WubTheCaptainRelationship replacedrelated to 0003732

Notes
(0021031)
WubTheCaptain   
2019-09-19 12:53   
Quote
The fact AllFearTheSentinel seems to be negligent of Regulation (EU) 2016/679 ("GDPR") is indifferent to Doomseeker.

And the Zandronum master server banlist too, being publicly accessible and collecting more than IP-addresses.
(0021032)
Filystea   
2019-09-19 16:10   
(edited on: 2019-09-19 16:11)
Are you going to like inform user about every basic shit now?

It's obvious that any server can collect your data.
Actually someone who has no knowledge about it will find it suspicious.

(0021033)
Blzut3   
2019-09-19 21:01   
Although as an American that's glad that the USA hasn't yet adopted GDPR, I personally agree with Filystea's thoughts. (I would elaborate on my opinion, but it's not relevant to this ticket.) Since the world doesn't revolve around my opinions, it probably wouldn't be a bad idea to add a GDPR notice to the first run.

Of note however is that the GDPR does not apply to "personal activity" (https://gdpr-info.eu/art-2-gdpr/) which Zandronum may fall under. Especially since as of right now with Zandronum not being GPL it would (with IANAL caveat) be a violation of the license to sell data collected from it. But I don't know.

The master server ban list point is likely moot since it's operated out of the USA and does not specifically target EU users.

You could be right that European game servers should have a notice and as far as I know Doomseeker would be the best place to have a cover all notice. (Especially since I would assume most people don't think about legal things when starting a server there.) I'm not sure if Transmissions notice has anything to do with GDPR or just informing users how torrents work, but we'd probably need some similarly vague "You're entering private property, so assume everything you do is being recorded."

In any case I leave it up to those who are affected by the law to determine what language is needed if any. I believe that's everyone on the team except me.
(0021034)
WubTheCaptain   
2019-09-20 00:16   
Off-topic notes. IANAL, caveat emptor.

Quote from Blzut3
Especially since as of right now with Zandronum not being GPL it would (with IANAL caveat) be a violation of the license to sell data collected from it.


The data output from a program isn't copyrighted under the same license as the program itself.

Quote from Blzut3
The master server ban list point is likely moot since it's operated out of the USA and does not specifically target EU users.


If an EU member state citizen visits America and shares personal data there (at the USA) for collection, that's not under the GDPR. Processing data from EU citizens is always under the GDPR, and collecting data from EU citizens while they're in the EU is under the GDPR.

There's international treaties between the EU and the US, such as The EU–US Umbrella Agreement, for Europeans to access US courts for privacy and data protection concerns (juridical redressing).

Quote from Blzut3
You could be right that European game servers should have a notice


Any server that processes personal data from EU member state citizens. But that's what game servers should notify the user about, not us.

Quote from Blzut3
I'm not sure if Transmissions notice has anything to do with GDPR or just informing users how torrents work


The latter. I used it as an illustration for a short consent dialog.

Quote from Blzut3
In any case I leave it up to those who are affected by the law to determine what language is needed if any.


Since Doomseeker developers aren't controllers for that data, we don't know what's necessarily collected; I'm not going to expect full privacy statements from Doomseeker. The best that could be done is linking to each individual privacy statement from the default master servers, if we know of one. (Short of the master server itself advertising a privacy policy URL in a response.)

Of course, I suppose the welcome dialog would need to be changed to only query master servers (enable engines) after consenting; even if we don't do the privacy statement thing.
(0021035)
WubTheCaptain   
2019-09-20 00:38   
Quote from WubTheCaptain
The best that could be done is linking to each individual privacy statement from the default master servers, if we know of one.


The preparedness of those master server operators for basic data protection laws is probably so shamefully awful, I think I'd be more inclined to skip this step anyway. Thus, my focus on the pseudo-consent dialog.
(0021036)
Blzut3   
2019-09-20 01:48   
Quote from WubTheCaptain
The data output from a program isn't copyrighted under the same license as the program itself.

This is where things can potentially get a little hairy. By license Zandronum can not be used for commercial purposes. The meaning of this is kind of vague, but these kinds of restrictions on the use of output actually occurs in EULAs a lot. For example IDA Free does not permit disassembling a program and using that information to say create anti-virus definitions. Is it enforceable? I don't know, but certainly the spirit of the license would be that the program could not be used in the process of creating financial revenue. I've certainly heard lawyers make arguments that even having a donation link on this website would be a violation of a non-commercial license (this was in context of why projects like Debian can't include non-free software even if they wanted to).
Quote from WubTheCaptain
If an EU member state citizen visits America and shares personal data there (at the USA) for collection, that's not under the GDPR. Processing data from EU citizens is always under the GDPR, and collecting data from EU citizens while they're in the EU is under the GDPR.

There's international treaties between the EU and the US, such as The EU–US Umbrella Agreement, for Europeans to access US courts for privacy and data protection concerns (juridical redressing).

Based on the research I've done the key is market targeting. Since Zandronum is completely agnostic to its visitor's location: We don't run targeted ads (or any ads for that matter), we don't sell services in Euros (not that we could because of licensing), we don't have any keywords that would suggest connection to the EU, thus this site can operate concerning itself with only US laws. In effect you are visiting the US when you access zandronum.com services.

Anyway, I'd rather not continue to pollute this ticket with these kinds of opinions. I'm happy to have a debate with you via email if you desire though.
(0021037)
AOSP   
2019-09-22 17:26   
Hasn't Zandronum been in violation of the DPD since Skulltag gained multiplayer? Why is the GDPR any different?

It's taken, like, nineteen years for anyone to care. Zandronum is too small for this problem to even exist in the first place. The GDPR was created to regulate large tech companies, and Zandronum isn't a large tech company, it's not even a legal entity - it's a source port for a 25 year old game, and any attempt to resolve this issue will just create effort for everyone and result in nothing.

Either do nothing or add that Transmission-like popup: hosting servers costs me enough just for the machine; imagine the cost of the lawyer if I was required to provide a privacy policy that nobody's going to read.
(0021038)
AOSP   
2019-09-22 17:48   
Quote
The fact AllFearTheSentinel seems to be negligent of Regulation (EU) 2016/679 ("GDPR") is indifferent to Doomseeker.


Not true, server hosts on TSPG (or AllFearTheSentinel as you called it) are no longer able to view player IPs due to GDPR. This is the most we could do considering we don't have the resources to fund a bunch of developers and lawyers to help redesign Zandronum.

(0021042)
WubTheCaptain   
2019-09-22 19:43   
(edited on: 2019-09-22 19:57)
Quote from AOSP
Hasn't Zandronum been in violation of the DPD since Skulltag gained multiplayer? Why is the GDPR any different?

It's not a problem with Zandronum per se, it's with server operators.
Quote from AOSP
The GDPR was created to regulate large tech companies

Arguably to give the rights back to the users, because organisations and tech companies (especially large ones) didn't most often self-regulate with a directive.
Quote from AOSP
Either do nothing or add that Transmission-like popup

I repeat it should not be a concern for Doomseeker how Zandronum server operators don't follow basic data protection laws, which only take a hour or two to accomplish without lawyers with all the guidance available from DPAs.
A simple, short one paragraph consent dialogue like Transmission does would do fine to give the user a choice; use Doomseeker with online capabilities, or allow using Doomseeker offline (to start offline or LAN servers) while online features (master server querying) are disabled.
Quote from AOSP
Quote
The fact AllFearTheSentinel seems to be negligent of Regulation (EU) 2016/679 ("GDPR") is indifferent to Doomseeker.

Not true

Re: accounts:https://web.archive.org/web/20190919130355/https://allfearthesentinel.net/policies/privacy.php [^]

(0021043)
AOSP   
2019-09-22 22:05   
People are not going to spend "an hour or two" dealing with legal shit so they can shoot some twenty-five year old pixels. And I'm going to going to spend that time either considering that literally nobody ever reads the motd, and that even less people will give a shit about a privacy notice that will make no difference whatsoever - and let's be honest, won't be much good without professional consultancy.

And I'm not sure what you're trying to prove by linking TSPG's privacy page? Were you expecting a beautifully written legal document? It explains as best it can. TSPG costs several hundred dollars out of pocket a month to run; we're not adding lawyer costs on top of that so one person can feel happy while reading what they knew already.
(0021044)
WubTheCaptain   
2019-09-23 12:09   
(edited on: 2019-09-23 12:38)
Thank you for confirming the concern is real in this issue, AOSP.

I'm also at disposal on Zandronum IRC today if you want to debate about data protection further. (Which is ironic, because there's no data protection statement there either.)

(0021103)
WubTheCaptain   
2020-01-19 15:08   
I was now reminded that IP2C auto update is enabled by default and phones home to DRDTeam (the developers).