Quote:
Originally Posted by azxten
[You must be logged in to view images. Log in or Register.]
Anyway...
Personally I think they should have a statement about this functionality, require people to agree to it when creating an account, and this statement should explain how that personal information is being handled. I was curious so read a bit of GDPR to see how it would apply to P99 but as far as I can tell P99 isn't a business. It's an entity which under GDPR entities are only required to comply if they are based in the EU. One thing I found that is interesting was some laws have defined protected personal information as also being aggregate non-identifying personal information if collected on more than 1000 different entities. From a project perspective what is being done is in fact risky because there is a very remote chance that someone's computer is named "bobsmithat123stidaho" and let's say they have a peculiar taste in porn and a staff member has this data from window titles and puts it out there. That person begins to have standing to sue and with actual damages. The data could be obtained by a malicious actor for example it doesn't have to be the staff intentionally using it for bad reasons. In this case P99 would almost definitely be in big trouble. No one agreed to this, they didn't disclose it officially, in this instance it was enough information to identify an individual, and it caused damages. Totally remote never going to happen kind of thing but in reality these things happen sometimes.
Of course these concepts are alien to most people. The risk is on the staff and it's their decision. I see little downside though. It's funny people would actively resist the idea that someone collecting personal information without your consent probably should stop doing that. Rogean said, "If you think what we're doing is bad you should see the other anti-cheat systems" referring to things like EAC and so on. The problem with that is those run with user consent via an agreement obtained duration installation. No such agreement exists for P99 regarding their data collection or usage.
Why resist doing this? It seems immature to me but my mindset is very corporate and seeks to avoid unnecessary risks. My perception is there is concern that if this was disclosed it would threaten growth, weaken the protection, or it's "hard" to implement properly since P99 logins are tied into EQEmu. You can make an EQEmu account without agreeing to anything from P99. The license.txt file has a disclaimer about this but the problem is you don't have to agree to this to play on P99. It's like if you signed up for a Facebook account and after you were already logged in and using the product they E-mailed you a list of rules and described how they're harvesting your personal data. That won't hold up in court.
Oh also since staff has commented on this they're now "knowingly" doing what they're doing in spite of people bringing these issues to their attention. Not even trying to be a dick I'd fix this up if I was in charge and this is how it is. Of course they could be comparing window titles on the client side and only sending a detection flag. Your computer name could be a one way hash for purposes of detecting boxing. There are a lot of assumptions about what is actually collected but then this gets into privacy laws about "processing" personal information as well.
|
By the way, Azxten, GDPR does very much apply to private entities as well. The only exception is if it's "completely private", but "Project 1999" is very far from "completely private" catering to thousands, so yes, GDPR certainly applies.