The Mud Connector

Author Topic: What, if any, affect does the GDPR have on MU*'s?  (Read 3314 times)

arholly

  • Jr. Member
  • **
  • Posts: 75
    • View Profile
What, if any, affect does the GDPR have on MU*'s?
« on: May 23, 2018, 3:31 PM »
The topic is pretty explanatory.  What, if any, affect does the EU GDPR have on MU*'s?

Best Regards,
Arholly

Molly

  • Community Manager
  • TMC Veteran
  • *****
  • Posts: 606
    • View Profile
Re: What, if any, affect does the GDPR have on MU*'s?
« Reply #1 on: May 24, 2018, 2:42 AM »
I am far from an expert on data regulation, but since most muds protect the identities of their players to an extent where not even the admin can see the real names, I don't think it will affect muds. At least I hope it won't.

Perhaps someone more knowledgeable can comment on the question?
Molly O'Hara of 4 Dimensions
4Dimensions.org Port 6000

arholly

  • Jr. Member
  • **
  • Posts: 75
    • View Profile
Re: What, if any, affect does the GDPR have on MU*'s?
« Reply #2 on: May 24, 2018, 9:04 AM »
    I'm not an expert either, but it seems there are some areas which could impact MU*'s. 

    • If you collect e-mail addresses, you are collecting personal information.  (link)
    • Access logs contain personal information (IP addresses are considered personal information - even if they are dynamic) (link)
    Those are just two of the examples I can think the GDPR affect's mu*'s, which means people should probably be updating their policies and/or looking into it at least.  Again, not a lawyer, just I know at work it is going to affect us, so I figured after learning more, it probably affects this community as well since IP's are used for banning purposes.

    Best Regards,
    Arholly
« Last Edit: May 24, 2018, 9:06 AM by arholly »

arholly

  • Jr. Member
  • **
  • Posts: 75
    • View Profile
Re: What, if any, affect does the GDPR have on MU*'s?
« Reply #3 on: May 24, 2018, 9:08 AM »
Oh yes, and then there is the part of the GDPR about not collecting information on people younger than 16.

https://gdpr-info.eu/art-8-gdpr/

Tijer

  • Community Manager
  • TMC Veteran
  • *****
  • Posts: 774
    • View Profile
Re: What, if any, affect does the GDPR have on MU*'s?
« Reply #4 on: May 24, 2018, 11:25 AM »
Does this mean you are back Arholly? :P
--Tijer
War of Legend    • Mud • Waroflegend.net port 4200   • Web • http://www.waroflegend.net
Aadarian Realms • Mud • Aadaria.net port 1111/1114  • Web • http://www.aadaria.com

SecondMouse

  • New to TMC
  • *
  • Posts: 1
    • View Profile
Re: What, if any, affect does the GDPR have on MU*'s?
« Reply #5 on: May 24, 2018, 11:43 AM »
The topic is pretty explanatory.  What, if any, affect does the EU GDPR have on MU*'s?

Best Regards,
Arholly

I am also not a lawyer, but the PSD2, and its subset GDPR define types of financial businesses, and link regulations to those groups.  The groups affected by extension are Data Providers, those who accept, process, and/or store personal information as part of the financial industry.

I do not think MUDs will be affected any more than public schools would be.   The exception might be slot machine games, as most are implemented as banks in Europe.

https://en.wikipedia.org/wiki/General_Data_Protection_Regulation

https://en.wikipedia.org/wiki/Payment_Services_Directive

https://en.wikipedia.org/wiki/Payment_Services_Directive#Revised_Directive_on_Payment_Services_(PSD2)

Commonly asked questions on PSD2 differences
http://europa.eu/rapid/press-release_MEMO-15-5793_en.htm
« Last Edit: May 24, 2018, 11:57 AM by SecondMouse »

nullscan

  • TMC Member
  • ***
  • Posts: 139
    • View Profile
Re: What, if any, affect does the GDPR have on MU*'s?
« Reply #6 on: May 24, 2018, 11:55 AM »
    Access logs contain personal information (IP addresses are considered personal information - even if they are dynamic only if and when they are in the hands of some government or law enforcement agency who can order the ISP to hand over the subscriber's real name, address, phone number, etc) (link)

    Those are just two of the examples I can think the GDPR affect's mu*'s, which means people should probably be updating their policies and/or looking into it at least.  Again, not a lawyer, just I know at work it is going to affect us, so I figured after learning more, it probably affects this community as well since IP's are used for banning purposes.

    Best Regards,
    Arholly[/list]

    FTFY in bold.  The text is from your own link:

    Quote
    However, given the importance of the issue to EU law, the German court referred the issue to the ECJ.  In ECJ proceedings, the Advocate General argued that IP addresses in the hands of the German government should be considered personal data because the government could legally—and thus reasonably and foreseeably—obtain data from ISPs that it could use to identify individuals.

    So unless the MU is government owned and operated, this ruling does not apply.

    arholly

    • Jr. Member
    • **
    • Posts: 75
      • View Profile
    Re: What, if any, affect does the GDPR have on MU*'s?
    « Reply #7 on: May 24, 2018, 12:26 PM »
      Access logs contain personal information (IP addresses are considered personal information - even if they are dynamic only if and when they are in the hands of some government or law enforcement agency who can order the ISP to hand over the subscriber's real name, address, phone number, etc) (link)

      Those are just two of the examples I can think the GDPR affect's mu*'s, which means people should probably be updating their policies and/or looking into it at least.  Again, not a lawyer, just I know at work it is going to affect us, so I figured after learning more, it probably affects this community as well since IP's are used for banning purposes.

      Best Regards,
      Arholly[/list]

      FTFY in bold.  The text is from your own link:

      Quote
      However, given the importance of the issue to EU law, the German court referred the issue to the ECJ.  In ECJ proceedings, the Advocate General argued that IP addresses in the hands of the German government should be considered personal data because the government could legally—and thus reasonably and foreseeably—obtain data from ISPs that it could use to identify individuals.

      So unless the MU is government owned and operated, this ruling does not apply.

      Actually, if you read the next paragraph, it does not apply only to government owned and operated.
      Quote
      The ECJ closed by phrasing its holding broadly.  It stated that dynamic IP addresses held by a website operator constitute personal data as long as the operator has “the legal means which enable it to identify the data subject with additional data which the [ISP] has about that person.”
      If the IP address allows you to identify the operator, then it is considered personal information.  And since most mu*'s use the IP address in conjunction with a players name (or account), then you can identify them based off of IP and therefore it is personal data.

      Further Links:
      https://arstechnica.com/tech-policy/2016/10/eu-dynamic-static-ip-personal-data/
      https://www.whitecase.com/publications/alert/court-confirms-ip-addresses-are-personal-data-some-cases
      https://www.bna.com/ip-addresses-protected-n57982079024/

      It's why places like boardgamegeeks and the like are revising their policy's (https://boardgamegeek.com/privacy#toc6) to include discussion of IP addresses.

      @Tijer:  Not really.  Just work related stuff happened and it made me think of AR.

      nullscan

      • TMC Member
      • ***
      • Posts: 139
        • View Profile
      Re: What, if any, affect does the GDPR have on MU*'s?
      « Reply #8 on: May 24, 2018, 12:52 PM »
      Actually, if you read the next paragraph, it does not apply only to government owned and operated.
      Quote
      The ECJ closed by phrasing its holding broadly.  It stated that dynamic IP addresses held by a website operator constitute personal data as long as the operator has “the legal means which enable it to identify the data subject with additional data which the [ISP] has about that person.”
      If the IP address allows you to identify the operator, then it is considered personal information.  And since most mu*'s use the IP address in conjunction with a players name (or account), then you can identify them based off of IP and therefore it is personal data.

      Further Links:
      https://arstechnica.com/tech-policy/2016/10/eu-dynamic-static-ip-personal-data/
      https://www.whitecase.com/publications/alert/court-confirms-ip-addresses-are-personal-data-some-cases
      https://www.bna.com/ip-addresses-protected-n57982079024/

      It's why places like boardgamegeeks and the like are revising their policy's (https://boardgamegeek.com/privacy#toc6) to include discussion of IP addresses.

      How exactly do you imagine IP Addressing translates into "personally identifying information" for the world at large, without being a government entity who can legally extort private/confidential records from your ISP?

      Do you seriously think that being able to identify that the last connection to the account "user001" was made from 192.168.0.1 means that the person currently connecting from 192.168.0.1 owns that account?  Because that's the first major error you're making with your statement.  You cannot link any online account to any IP Address because of DHCP (aka Dynamic IP Assignment), much less link 192.168.0.1 to the real-name, address, and telephone number of any of the people who connected from it as much as right now much less in the last hour. 

      The only people who can do that are the ISPs that issue the IP Address, by logging what device was issued what IP at what time, and the device will have a unique MAC address (or some other uniquely identifying ID) which will be recorded in customer records along with real-name, address, and telephone number of the customer the device is issued to.  Governments and law enforcement agencies can then compel ISPs to hand over their logs and customer records.

      You could impersonate law enforcement, forge a warrant, or do any number of other highly illegal things to obtain the same data from the same ISP.  This ruling does not apply to that, no matter how many gross misinterpretations you make of it or how many paragraphs you keep cherry picking out of it.  The keyword here is legally.

      I honestly don't know if you're that terrified of the internet yourself or if you're just fear-mongering.
      « Last Edit: May 24, 2018, 1:12 PM by nullscan »

      Zandy

      • Community Manager
      • Jr. Member
      • *****
      • Posts: 89
        • View Profile
      Re: What, if any, affect does the GDPR have on MU*'s?
      « Reply #9 on: May 24, 2018, 1:12 PM »
      I'm just going to chime in here and make sure everyone understands this is a discussion and not a flame war.  Lots of different opinions here and everyone feels theirs is right.  So let's keep this low key and on a discussion level and leave out any personal feelings.

      arholly

      • Jr. Member
      • **
      • Posts: 75
        • View Profile
      Re: What, if any, affect does the GDPR have on MU*'s?
      « Reply #10 on: May 24, 2018, 3:42 PM »
      (I recognize it's a discussion and won't be trying to flame anything back - not my style).

      It doesn't matter if your a government agency or not or if you have access to law enforcement or not.  IP addresses are considered personal information regardless and thus are protected data.  If you feel you don't have to do anything, that's fine.  I'm just bringing it up for discussion.  You clearly feel one way and I'm cool with that.  It just seems from all the information out there, you have to protect the information and I was trying to discuss how that would impact that hobby.  You can look up where people live based off their IP address.  You, for even the most basic ROM mud, can equate an IP address to a username, which means you are identifying people by it.

      And clearly I'm not the only one doing it because there are lots of other websites (not even games) which are doing stuff about it.  And these are places which do not engage in any form of monetary transaction (and anyplace that does deal in money, as you mentioned), is addressing it.

      nullscan

      • TMC Member
      • ***
      • Posts: 139
        • View Profile
      Re: What, if any, affect does the GDPR have on MU*'s?
      « Reply #11 on: May 24, 2018, 3:48 PM »
      (I recognize it's a discussion and won't be trying to flame anything back - not my style).

      The only flaming going on here is by Zandy, who took a simple correction of bad information and didn't even blow it out of proportion but twisted it into something it isn't and wasn't.

      arholly

      • Jr. Member
      • **
      • Posts: 75
        • View Profile
      Re: What, if any, affect does the GDPR have on MU*'s?
      « Reply #12 on: May 24, 2018, 3:52 PM »
      Just another resource because these are free to play games that are shutting down because of the GDPR:
      https://motherboard.vice.com/en_us/article/pavbn9/gdpr-privacy-law-and-online-games-loadout-ragnarok-online

      Zandy

      • Community Manager
      • Jr. Member
      • *****
      • Posts: 89
        • View Profile
      Re: What, if any, affect does the GDPR have on MU*'s?
      « Reply #13 on: May 24, 2018, 4:01 PM »
      The only flaming going on here is by Zandy, who took a simple correction of bad information and didn't even blow it out of proportion but twisted it into something it isn't and wasn't.

      I was addressing everyone equally, and nobody specifically.  But if you took it to mean you then maybe there's something there?  That's all I'll have to say on the issue other than to keep it on topic.

      Hades_Kane

      • Community Manager
      • TMC Veteran
      • *****
      • Posts: 1230
      • Owner / Administrator of End of Time
        • View Profile
        • End of Time
      -Diablos
      End of Time, a 100% free Final Fantasy & Chrono Trigger based MUD with a large original world, unique combat & magic systems, and more!
      eotmud.com : 4000 • http://www.eotmud.com • http://www.facebook.com/eotmud
      http://www.mudconnect.com/mud-bin/adv_search.cgi?Mode=MUD&mud=End+of+Time