MantisBT - Doomseeker |
| View Issue Details |
|
| ID | Project | Category | View Status | Date Submitted | Last Update |
| 0003712 | Doomseeker | UI | public | 2019-09-19 12:49 | 2020-01-19 15:24 |
|
| Reporter | WubTheCaptain | |
| Assigned To | | |
| Priority | none | Severity | feature | Reproducibility | N/A |
| Status | acknowledged | Resolution | open | |
| Platform | | OS | | OS Version | |
| Product Version | 1.3 | |
| Target Version | | Fixed in Version | | |
|
| Summary | 0003712: The user isn't requested (informed) consent for their personal data to be collected/processed by servers |
| Description | For a while now, I've been reminded of that popup in Transmission and thought, "hey, Doomseeker doesn't have something similar for personal data shared to servers."
I'm quite sure servers running on engines supported by Doomseeker collect and process quite a bit of personal data, including:
- IP address
- Chat messages
- Player name
- (GeoIP country)
The legal basis is probably legitimate interests. The fact AllFearTheSentinel seems to be negligent of Regulation (EU) 2016/679 ("GDPR") is indifferent to Doomseeker.
Master servers may also collect or process personal information.
Maybe we could help a little bit with that, at least as far as it goes for the primary feature of Doomseeker (contacting master servers). As far as I know, the "Welcome to Doomseeker" first time configuration popup makes no mention of this and queries master servers immediately without the user's acceptance. Or at least disclaim Doomseeker developers don't operate (all) the master servers or game servers. |
| Steps To Reproduce | |
| Additional Information | |
| Tags | No tags attached. |
| Relationships | | related to | 0003732 | needs testing | Zalewa | No build-time configuration to disable IP2C auto updates (phoning home) |
|
| Attached Files |  2019-09-19-123924_maim.png (11,548) 2019-09-19 12:50
https://zandronum.com/tracker/file_download.php?file_id=2504&type=bug
|
|
| Issue History |
| Date Modified | Username | Field | Change |
| 2019-09-19 12:49 | WubTheCaptain | New Issue | |
| 2019-09-19 12:50 | WubTheCaptain | File Added: 2019-09-19-123924_maim.png | |
| 2019-09-19 12:53 | WubTheCaptain | Note Added: 0021031 | |
| 2019-09-19 12:54 | WubTheCaptain | Description Updated | bug_revision_view_page.php?rev_id=12836#r12836 |
| 2019-09-19 16:10 | Filystea | Note Added: 0021032 | |
| 2019-09-19 16:11 | Filystea | Note Edited: 0021032 | bug_revision_view_page.php?bugnote_id=21032#r12838 |
| 2019-09-19 21:01 | Blzut3 | Note Added: 0021033 | |
| 2019-09-20 00:16 | WubTheCaptain | Note Added: 0021034 | |
| 2019-09-20 00:16 | WubTheCaptain | Status | new => acknowledged |
| 2019-09-20 00:38 | WubTheCaptain | Note Added: 0021035 | |
| 2019-09-20 00:41 | WubTheCaptain | Summary | The user isn't receiving informed consent of how their personal data may be collected/processed by servers => The user isn't giving informed consent for their personal data to be collected/processed by servers |
| 2019-09-20 00:42 | WubTheCaptain | Summary | The user isn't giving informed consent for their personal data to be collected/processed by servers => The user isn't giving (informed) consent for their personal data to be collected/processed by servers |
| 2019-09-20 00:43 | WubTheCaptain | Summary | The user isn't giving (informed) consent for their personal data to be collected/processed by servers => The user isn't giving (informed) consent for their personal data to be collected/processed by servers on initial configuration |
| 2019-09-20 00:44 | WubTheCaptain | Summary | The user isn't giving (informed) consent for their personal data to be collected/processed by servers on initial configuration => The user isn't requested (informed) consent for their personal data to be collected/processed by servers |
| 2019-09-20 01:48 | Blzut3 | Note Added: 0021036 | |
| 2019-09-22 17:26 | DrinkyBird | Note Added: 0021037 | |
| 2019-09-22 17:48 | DrinkyBird | Note Added: 0021038 | |
| 2019-09-22 17:48 | DrinkyBird | Note Edited: 0021038 | bug_revision_view_page.php?bugnote_id=21038#r12842 |
| 2019-09-22 19:43 | WubTheCaptain | Note Added: 0021042 | |
| 2019-09-22 19:44 | WubTheCaptain | Note Edited: 0021042 | bug_revision_view_page.php?bugnote_id=21042#r12848 |
| 2019-09-22 19:48 | WubTheCaptain | Note Edited: 0021042 | bug_revision_view_page.php?bugnote_id=21042#r12849 |
| 2019-09-22 19:57 | WubTheCaptain | Note Edited: 0021042 | bug_revision_view_page.php?bugnote_id=21042#r12850 |
| 2019-09-22 22:05 | DrinkyBird | Note Added: 0021043 | |
| 2019-09-23 12:09 | WubTheCaptain | Note Added: 0021044 | |
| 2019-09-23 12:09 | WubTheCaptain | Note Edited: 0021044 | bug_revision_view_page.php?bugnote_id=21044#r12852 |
| 2019-09-23 12:17 | WubTheCaptain | Note Edited: 0021044 | bug_revision_view_page.php?bugnote_id=21044#r12853 |
| 2019-09-23 12:17 | WubTheCaptain | Note Edited: 0021044 | bug_revision_view_page.php?bugnote_id=21044#r12854 |
| 2019-09-23 12:36 | WubTheCaptain | Category | Documentation => UI |
| 2019-09-23 12:38 | WubTheCaptain | Note Edited: 0021044 | bug_revision_view_page.php?bugnote_id=21044#r12855 |
| 2020-01-19 15:08 | WubTheCaptain | Note Added: 0021103 | |
| 2020-01-19 15:23 | WubTheCaptain | Relationship added | parent of 0003732 |
| 2020-01-19 15:24 | WubTheCaptain | Relationship replaced | related to 0003732 |
|
Notes |
|
|
|
Quote
The fact AllFearTheSentinel seems to be negligent of Regulation (EU) 2016/679 ("GDPR") is indifferent to Doomseeker.
And the Zandronum master server banlist too, being publicly accessible and collecting more than IP-addresses. |
|
|
|
(0021032)
|
|
Filystea
|
2019-09-19 16:10
(edited on: 2019-09-19 16:11) |
|
Are you going to like inform user about every basic shit now?
It's obvious that any server can collect your data.
Actually someone who has no knowledge about it will find it suspicious.
|
|
|
|
(0021033)
|
|
Blzut3
|
|
2019-09-19 21:01
|
|
Although as an American that's glad that the USA hasn't yet adopted GDPR, I personally agree with Filystea's thoughts. (I would elaborate on my opinion, but it's not relevant to this ticket.) Since the world doesn't revolve around my opinions, it probably wouldn't be a bad idea to add a GDPR notice to the first run.
Of note however is that the GDPR does not apply to "personal activity" (https://gdpr-info.eu/art-2-gdpr/) which Zandronum may fall under. Especially since as of right now with Zandronum not being GPL it would (with IANAL caveat) be a violation of the license to sell data collected from it. But I don't know.
The master server ban list point is likely moot since it's operated out of the USA and does not specifically target EU users.
You could be right that European game servers should have a notice and as far as I know Doomseeker would be the best place to have a cover all notice. (Especially since I would assume most people don't think about legal things when starting a server there.) I'm not sure if Transmissions notice has anything to do with GDPR or just informing users how torrents work, but we'd probably need some similarly vague "You're entering private property, so assume everything you do is being recorded."
In any case I leave it up to those who are affected by the law to determine what language is needed if any. I believe that's everyone on the team except me. |
|
|
|
|
Off-topic notes. IANAL, caveat emptor.
Quote from Blzut3
Especially since as of right now with Zandronum not being GPL it would (with IANAL caveat) be a violation of the license to sell data collected from it.
The data output from a program isn't copyrighted under the same license as the program itself.
Quote from Blzut3
The master server ban list point is likely moot since it's operated out of the USA and does not specifically target EU users.
If an EU member state citizen visits America and shares personal data there (at the USA) for collection, that's not under the GDPR. Processing data from EU citizens is always under the GDPR, and collecting data from EU citizens while they're in the EU is under the GDPR.
There's international treaties between the EU and the US, such as The EU–US Umbrella Agreement, for Europeans to access US courts for privacy and data protection concerns (juridical redressing).
Quote from Blzut3
You could be right that European game servers should have a notice
Any server that processes personal data from EU member state citizens. But that's what game servers should notify the user about, not us.
Quote from Blzut3
I'm not sure if Transmissions notice has anything to do with GDPR or just informing users how torrents work
The latter. I used it as an illustration for a short consent dialog.
Quote from Blzut3
In any case I leave it up to those who are affected by the law to determine what language is needed if any.
Since Doomseeker developers aren't controllers for that data, we don't know what's necessarily collected; I'm not going to expect full privacy statements from Doomseeker. The best that could be done is linking to each individual privacy statement from the default master servers, if we know of one. (Short of the master server itself advertising a privacy policy URL in a response.)
Of course, I suppose the welcome dialog would need to be changed to only query master servers (enable engines) after consenting; even if we don't do the privacy statement thing. |
|
|
|
|
Quote from WubTheCaptain
The best that could be done is linking to each individual privacy statement from the default master servers, if we know of one.
The preparedness of those master server operators for basic data protection laws is probably so shamefully awful, I think I'd be more inclined to skip this step anyway. Thus, my focus on the pseudo-consent dialog. |
|
|
|
(0021036)
|
|
Blzut3
|
|
2019-09-20 01:48
|
|
Quote from WubTheCaptain
The data output from a program isn't copyrighted under the same license as the program itself.
This is where things can potentially get a little hairy. By license Zandronum can not be used for commercial purposes. The meaning of this is kind of vague, but these kinds of restrictions on the use of output actually occurs in EULAs a lot. For example IDA Free does not permit disassembling a program and using that information to say create anti-virus definitions. Is it enforceable? I don't know, but certainly the spirit of the license would be that the program could not be used in the process of creating financial revenue. I've certainly heard lawyers make arguments that even having a donation link on this website would be a violation of a non-commercial license (this was in context of why projects like Debian can't include non-free software even if they wanted to).
Quote from WubTheCaptain
If an EU member state citizen visits America and shares personal data there (at the USA) for collection, that's not under the GDPR. Processing data from EU citizens is always under the GDPR, and collecting data from EU citizens while they're in the EU is under the GDPR.
There's international treaties between the EU and the US, such as The EU–US Umbrella Agreement, for Europeans to access US courts for privacy and data protection concerns (juridical redressing).
Based on the research I've done the key is market targeting. Since Zandronum is completely agnostic to its visitor's location: We don't run targeted ads (or any ads for that matter), we don't sell services in Euros (not that we could because of licensing), we don't have any keywords that would suggest connection to the EU, thus this site can operate concerning itself with only US laws. In effect you are visiting the US when you access zandronum.com services.
Anyway, I'd rather not continue to pollute this ticket with these kinds of opinions. I'm happy to have a debate with you via email if you desire though. |
|
|
|
|
Hasn't Zandronum been in violation of the DPD since Skulltag gained multiplayer? Why is the GDPR any different?
It's taken, like, nineteen years for anyone to care. Zandronum is too small for this problem to even exist in the first place. The GDPR was created to regulate large tech companies, and Zandronum isn't a large tech company, it's not even a legal entity - it's a source port for a 25 year old game, and any attempt to resolve this issue will just create effort for everyone and result in nothing.
Either do nothing or add that Transmission-like popup: hosting servers costs me enough just for the machine; imagine the cost of the lawyer if I was required to provide a privacy policy that nobody's going to read. |
|
|
|
|
Quote
The fact AllFearTheSentinel seems to be negligent of Regulation (EU) 2016/679 ("GDPR") is indifferent to Doomseeker.
Not true, server hosts on TSPG (or AllFearTheSentinel as you called it) are no longer able to view player IPs due to GDPR. This is the most we could do considering we don't have the resources to fund a bunch of developers and lawyers to help redesign Zandronum.
|
|
|
|
(0021042)
|
|
WubTheCaptain
|
2019-09-22 19:43
(edited on: 2019-09-22 19:57) |
|
Quote from AOSP
Hasn't Zandronum been in violation of the DPD since Skulltag gained multiplayer? Why is the GDPR any different?
It's not a problem with Zandronum per se, it's with server operators.
Quote from AOSP
The GDPR was created to regulate large tech companies
Arguably to give the rights back to the users, because organisations and tech companies (especially large ones) didn't most often self-regulate with a directive.
Quote from AOSP
Either do nothing or add that Transmission-like popup
I repeat it should not be a concern for Doomseeker how Zandronum server operators don't follow basic data protection laws, which only take a hour or two to accomplish without lawyers with all the guidance available from DPAs.
A simple, short one paragraph consent dialogue like Transmission does would do fine to give the user a choice; use Doomseeker with online capabilities, or allow using Doomseeker offline (to start offline or LAN servers) while online features (master server querying) are disabled.
Quote from AOSP
Quote
The fact AllFearTheSentinel seems to be negligent of Regulation (EU) 2016/679 ("GDPR") is indifferent to Doomseeker.
Not true
Re: accounts:'https://web.archive.org/web/20190919130355/https://allfearthesentinel.net/policies/privacy.php [^]'
|
|
|
|
|
People are not going to spend "an hour or two" dealing with legal shit so they can shoot some twenty-five year old pixels. And I'm going to going to spend that time either considering that literally nobody ever reads the motd, and that even less people will give a shit about a privacy notice that will make no difference whatsoever - and let's be honest, won't be much good without professional consultancy.
And I'm not sure what you're trying to prove by linking TSPG's privacy page? Were you expecting a beautifully written legal document? It explains as best it can. TSPG costs several hundred dollars out of pocket a month to run; we're not adding lawyer costs on top of that so one person can feel happy while reading what they knew already. |
|
|
|
(0021044)
|
|
WubTheCaptain
|
2019-09-23 12:09
(edited on: 2019-09-23 12:38) |
|
Thank you for confirming the concern is real in this issue, AOSP.
I'm also at disposal on Zandronum IRC today if you want to debate about data protection further. (Which is ironic, because there's no data protection statement there either.)
|
|
|
|
|
|
I was now reminded that IP2C auto update is enabled by default and phones home to DRDTeam (the developers). |
|