Zandronum Chat @ irc.zandronum.com
#zandronum
Get the latest version: 3.0
Source Code

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0003712DoomseekerUIpublic2019-09-19 12:492019-09-23 12:38
ReporterWubTheCaptain 
Assigned To 
PrioritynoneSeverityfeatureReproducibilityN/A
StatusacknowledgedResolutionopen 
PlatformOSOS Version
Product Version1.3 
Target VersionFixed in Version 
Summary0003712: The user isn't requested (informed) consent for their personal data to be collected/processed by servers
DescriptionFor a while now, I've been reminded of that popup in Transmission and thought, "hey, Doomseeker doesn't have something similar for personal data shared to servers."
I'm quite sure servers running on engines supported by Doomseeker collect and process quite a bit of personal data, including:
  • IP address
  • Chat messages
  • Player name
  • (GeoIP country)

The legal basis is probably legitimate interests. The fact AllFearTheSentinel seems to be negligent of Regulation (EU) 2016/679 ("GDPR") is indifferent to Doomseeker.
Master servers may also collect or process personal information.
Maybe we could help a little bit with that, at least as far as it goes for the primary feature of Doomseeker (contacting master servers). As far as I know, the "Welcome to Doomseeker" first time configuration popup makes no mention of this and queries master servers immediately without the user's acceptance. Or at least disclaim Doomseeker developers don't operate (all) the master servers or game servers.
Attached Filespng file icon 2019-09-19-123924_maim.png [^] (11,548 bytes) 2019-09-19 12:50

- Relationships

-  Notes
User avatar (0021031)
WubTheCaptain (developer)
2019-09-19 12:53

Quote
The fact AllFearTheSentinel seems to be negligent of Regulation (EU) 2016/679 ("GDPR") is indifferent to Doomseeker.

And the Zandronum master server banlist too, being publicly accessible and collecting more than IP-addresses.
User avatar (0021032)
Filystea (reporter)
2019-09-19 16:10
edited on: 2019-09-19 16:11

Are you going to like inform user about every basic shit now?

It's obvious that any server can collect your data.
Actually someone who has no knowledge about it will find it suspicious.

User avatar (0021033)
Blzut3 (administrator)
2019-09-19 21:01

Although as an American that's glad that the USA hasn't yet adopted GDPR, I personally agree with Filystea's thoughts. (I would elaborate on my opinion, but it's not relevant to this ticket.) Since the world doesn't revolve around my opinions, it probably wouldn't be a bad idea to add a GDPR notice to the first run.

Of note however is that the GDPR does not apply to "personal activity" (https://gdpr-info.eu/art-2-gdpr/) which Zandronum may fall under. Especially since as of right now with Zandronum not being GPL it would (with IANAL caveat) be a violation of the license to sell data collected from it. But I don't know.

The master server ban list point is likely moot since it's operated out of the USA and does not specifically target EU users.

You could be right that European game servers should have a notice and as far as I know Doomseeker would be the best place to have a cover all notice. (Especially since I would assume most people don't think about legal things when starting a server there.) I'm not sure if Transmissions notice has anything to do with GDPR or just informing users how torrents work, but we'd probably need some similarly vague "You're entering private property, so assume everything you do is being recorded."

In any case I leave it up to those who are affected by the law to determine what language is needed if any. I believe that's everyone on the team except me.
User avatar (0021034)
WubTheCaptain (developer)
2019-09-20 00:16

Off-topic notes. IANAL, caveat emptor.

Quote from Blzut3
Especially since as of right now with Zandronum not being GPL it would (with IANAL caveat) be a violation of the license to sell data collected from it.


The data output from a program isn't copyrighted under the same license as the program itself.

Quote from Blzut3
The master server ban list point is likely moot since it's operated out of the USA and does not specifically target EU users.


If an EU member state citizen visits America and shares personal data there (at the USA) for collection, that's not under the GDPR. Processing data from EU citizens is always under the GDPR, and collecting data from EU citizens while they're in the EU is under the GDPR.

There's international treaties between the EU and the US, such as The EU–US Umbrella Agreement, for Europeans to access US courts for privacy and data protection concerns (juridical redressing).

Quote from Blzut3
You could be right that European game servers should have a notice


Any server that processes personal data from EU member state citizens. But that's what game servers should notify the user about, not us.

Quote from Blzut3
I'm not sure if Transmissions notice has anything to do with GDPR or just informing users how torrents work


The latter. I used it as an illustration for a short consent dialog.

Quote from Blzut3
In any case I leave it up to those who are affected by the law to determine what language is needed if any.


Since Doomseeker developers aren't controllers for that data, we don't know what's necessarily collected; I'm not going to expect full privacy statements from Doomseeker. The best that could be done is linking to each individual privacy statement from the default master servers, if we know of one. (Short of the master server itself advertising a privacy policy URL in a response.)

Of course, I suppose the welcome dialog would need to be changed to only query master servers (enable engines) after consenting; even if we don't do the privacy statement thing.
User avatar (0021035)
WubTheCaptain (developer)
2019-09-20 00:38

Quote from WubTheCaptain
The best that could be done is linking to each individual privacy statement from the default master servers, if we know of one.


The preparedness of those master server operators for basic data protection laws is probably so shamefully awful, I think I'd be more inclined to skip this step anyway. Thus, my focus on the pseudo-consent dialog.
User avatar (0021036)
Blzut3 (administrator)
2019-09-20 01:48

Quote from WubTheCaptain
The data output from a program isn't copyrighted under the same license as the program itself.

This is where things can potentially get a little hairy. By license Zandronum can not be used for commercial purposes. The meaning of this is kind of vague, but these kinds of restrictions on the use of output actually occurs in EULAs a lot. For example IDA Free does not permit disassembling a program and using that information to say create anti-virus definitions. Is it enforceable? I don't know, but certainly the spirit of the license would be that the program could not be used in the process of creating financial revenue. I've certainly heard lawyers make arguments that even having a donation link on this website would be a violation of a non-commercial license (this was in context of why projects like Debian can't include non-free software even if they wanted to).
Quote from WubTheCaptain
If an EU member state citizen visits America and shares personal data there (at the USA) for collection, that's not under the GDPR. Processing data from EU citizens is always under the GDPR, and collecting data from EU citizens while they're in the EU is under the GDPR.

There's international treaties between the EU and the US, such as The EU–US Umbrella Agreement, for Europeans to access US courts for privacy and data protection concerns (juridical redressing).

Based on the research I've done the key is market targeting. Since Zandronum is completely agnostic to its visitor's location: We don't run targeted ads (or any ads for that matter), we don't sell services in Euros (not that we could because of licensing), we don't have any keywords that would suggest connection to the EU, thus this site can operate concerning itself with only US laws. In effect you are visiting the US when you access zandronum.com services.

Anyway, I'd rather not continue to pollute this ticket with these kinds of opinions. I'm happy to have a debate with you via email if you desire though.
User avatar (0021037)
AOSP (reporter)
2019-09-22 17:26

Hasn't Zandronum been in violation of the DPD since Skulltag gained multiplayer? Why is the GDPR any different?

It's taken, like, nineteen years for anyone to care. Zandronum is too small for this problem to even exist in the first place. The GDPR was created to regulate large tech companies, and Zandronum isn't a large tech company, it's not even a legal entity - it's a source port for a 25 year old game, and any attempt to resolve this issue will just create effort for everyone and result in nothing.

Either do nothing or add that Transmission-like popup: hosting servers costs me enough just for the machine; imagine the cost of the lawyer if I was required to provide a privacy policy that nobody's going to read.
User avatar (0021038)
AOSP (reporter)
2019-09-22 17:48
edited on: 2019-09-22 17:48

Quote
The fact AllFearTheSentinel seems to be negligent of Regulation (EU) 2016/679 ("GDPR") is indifferent to Doomseeker.


Not true, server hosts on TSPG (or AllFearTheSentinel as you called it) are no longer able to view player IPs due to GDPR. This is the most we could do considering we don't have the resources to fund a bunch of developers and lawyers to help redesign Zandronum.

User avatar (0021042)
WubTheCaptain (developer)
2019-09-22 19:43
edited on: 2019-09-22 19:57

Quote from AOSP
Hasn't Zandronum been in violation of the DPD since Skulltag gained multiplayer? Why is the GDPR any different?

It's not a problem with Zandronum per se, it's with server operators.
Quote from AOSP
The GDPR was created to regulate large tech companies

Arguably to give the rights back to the users, because organisations and tech companies (especially large ones) didn't most often self-regulate with a directive.
Quote from AOSP
Either do nothing or add that Transmission-like popup

I repeat it should not be a concern for Doomseeker how Zandronum server operators don't follow basic data protection laws, which only take a hour or two to accomplish without lawyers with all the guidance available from DPAs.
A simple, short one paragraph consent dialogue like Transmission does would do fine to give the user a choice; use Doomseeker with online capabilities, or allow using Doomseeker offline (to start offline or LAN servers) while online features (master server querying) are disabled.
Quote from AOSP
Quote
The fact AllFearTheSentinel seems to be negligent of Regulation (EU) 2016/679 ("GDPR") is indifferent to Doomseeker.

Not true

Re: accounts:https://web.archive.org/web/20190919130355/https://allfearthesentinel.net/policies/privacy.php [^]

User avatar (0021043)
AOSP (reporter)
2019-09-22 22:05

People are not going to spend "an hour or two" dealing with legal shit so they can shoot some twenty-five year old pixels. And I'm going to going to spend that time either considering that literally nobody ever reads the motd, and that even less people will give a shit about a privacy notice that will make no difference whatsoever - and let's be honest, won't be much good without professional consultancy.

And I'm not sure what you're trying to prove by linking TSPG's privacy page? Were you expecting a beautifully written legal document? It explains as best it can. TSPG costs several hundred dollars out of pocket a month to run; we're not adding lawyer costs on top of that so one person can feel happy while reading what they knew already.
User avatar (0021044)
WubTheCaptain (developer)
2019-09-23 12:09
edited on: 2019-09-23 12:38

Thank you for confirming the concern is real in this issue, AOSP.

I'm also at disposal on Zandronum IRC today if you want to debate about data protection further. (Which is ironic, because there's no data protection statement there either.)


Issue Community Support
Only registered users can voice their support. Click here to register, or here to log in.
Supporters: No one explicitly supports this issue yet.
Opponents: No one explicitly opposes this issue yet.

- Issue History
Date Modified Username Field Change
2019-09-19 12:49 WubTheCaptain New Issue
2019-09-19 12:50 WubTheCaptain File Added: 2019-09-19-123924_maim.png
2019-09-19 12:53 WubTheCaptain Note Added: 0021031
2019-09-19 12:54 WubTheCaptain Description Updated View Revisions
2019-09-19 16:10 Filystea Note Added: 0021032
2019-09-19 16:11 Filystea Note Edited: 0021032 View Revisions
2019-09-19 21:01 Blzut3 Note Added: 0021033
2019-09-20 00:16 WubTheCaptain Note Added: 0021034
2019-09-20 00:16 WubTheCaptain Status new => acknowledged
2019-09-20 00:38 WubTheCaptain Note Added: 0021035
2019-09-20 00:41 WubTheCaptain Summary The user isn't receiving informed consent of how their personal data may be collected/processed by servers => The user isn't giving informed consent for their personal data to be collected/processed by servers
2019-09-20 00:42 WubTheCaptain Summary The user isn't giving informed consent for their personal data to be collected/processed by servers => The user isn't giving (informed) consent for their personal data to be collected/processed by servers
2019-09-20 00:43 WubTheCaptain Summary The user isn't giving (informed) consent for their personal data to be collected/processed by servers => The user isn't giving (informed) consent for their personal data to be collected/processed by servers on initial configuration
2019-09-20 00:44 WubTheCaptain Summary The user isn't giving (informed) consent for their personal data to be collected/processed by servers on initial configuration => The user isn't requested (informed) consent for their personal data to be collected/processed by servers
2019-09-20 01:48 Blzut3 Note Added: 0021036
2019-09-22 17:26 AOSP Note Added: 0021037
2019-09-22 17:48 AOSP Note Added: 0021038
2019-09-22 17:48 AOSP Note Edited: 0021038 View Revisions
2019-09-22 19:43 WubTheCaptain Note Added: 0021042
2019-09-22 19:44 WubTheCaptain Note Edited: 0021042 View Revisions
2019-09-22 19:48 WubTheCaptain Note Edited: 0021042 View Revisions
2019-09-22 19:57 WubTheCaptain Note Edited: 0021042 View Revisions
2019-09-22 22:05 AOSP Note Added: 0021043
2019-09-23 12:09 WubTheCaptain Note Added: 0021044
2019-09-23 12:09 WubTheCaptain Note Edited: 0021044 View Revisions
2019-09-23 12:17 WubTheCaptain Note Edited: 0021044 View Revisions
2019-09-23 12:17 WubTheCaptain Note Edited: 0021044 View Revisions
2019-09-23 12:36 WubTheCaptain Category Documentation => UI
2019-09-23 12:38 WubTheCaptain Note Edited: 0021044 View Revisions






Questions or other issues? Contact Us.

Links


Copyright © 2000 - 2019 MantisBT Team
Powered by Mantis Bugtracker