Privacy information for players (ingame) [GDPR]

Hey, its GDPR discussion time again, YAY!
First of all: why this post?
I find that there is quite a lack of public discussion in the forums about the law changes that are already active since March 2018 concerning privacy for EU citizens.

If I haven't missed anything right now, during the first launch of the most recent stable version (0.8.2) there is a pop-up window asking the player to enter a nickname and welcoming them to the game as well as an option to enable/disable sharing of the player name to stats.xonotic.org.
And that's about it, not much more information concerning privacy or even stats.xonotic.org is given.
That brings several problems with it IMHO:

1. How is the user supposed to actually know what he is deciding right now?
   
2. This decision is not representing the 2 larger choices you have for stats sharing (cl_allow_uidtracking vs cl_allow_uid2name)
   
3. The user is not notified in any way about what data is used where.
   

I think 1 and 2 can be solved somewhat easily by small changes, like display two tickbox options instead like it already is in >multiplayer>profile
Further it would probably best to make the options opt-in if thats not already the case. This would also benifit stats.xonotic.org as it wouldn't be "polluted" as much by users that just briefly check this game out.

The third problem is not solved as easily though.
First we have to agree on a text that should be used. I would like to reach a consensus in this thread as this is probably one of the more tricky parts.
According to GDPR (which is likely the strongest privacy lawset concerning xonotic right now) the text should inform the user in an easily understandable way about what personal data is being processed.


Now I do have a very limited knowledge about xons internal structures and am also not native to the english language. So I wrote up a small first draft but would encourage you to improve upon that or write another better one from scratch. The current draft is editable in a etherpad: https://piratenpad.de/p/xonotic_ingame_gdpr_notifier

Please try to keep it somewhat simple, yet clear and specify a name if you edit the text so its easier to see who did what.

If we manage to get these changes in we are probably on the save side and certain server admins might start using stats.xonotic.org again.
In case I forgot anything important please mention it. But thankfully xonotic does not collect that much personal information. And no I don't count your aim% as personal information, sorry

Thanks for trying to move this mountain and gl

This is indeed a good idea, thank you Käsebrot!

I wonder who would be the "controller" in terms of GDPR with Xonotic? Is there even a legal entity that could constitute a "controller"?

Xonotic's "Terms of Service" don't tell me who is controller...
http://www.xonotic.org/tos/

It's been a while since I've read the GDPR and its impacts with respect to Xonotic, but I did author the terms of service in response to it. In there I have a bulleted list of what is collected by stats, and also relate those things back to the two checkboxes in-game (and their corresponding cvars). I agree that the in-game message boxes or prompts could be made more clear. Possibly we could reference that URL for clarity.

There's also a lot of ambiguity with respect to whether or not what we collect constitutes personal data under the definition specified in Article 4. To be on the safe side, we assume the hashkey used to establish unique player_ids in stats is indeed personal data according to GDPR. We've treated it as such since stats was created, and have accordingly placed it behind an opt-in flag. 

@Halogene - I'm open to suggestions on how to communicate how the "controller" role works. Can you suggest any verbiage I can use in the TOS page to make it clear?

We would have to find out if there actually is an entity that could fill the role of the "controller"... do a bunch of people working together on free software constitute a legal entity that is capable of being addressee of claims? If not, which one of the people involved would be the "controller" in terms of GDPR? Or can the team collectively as natural persons be a "controller"? Who would then be part of the team that constitutes the controller and where would one have to draw the line?

This is actually also a topic for the Terms of Service - if they are intended to form a contract, who is the party that uses them ("we")? How would I find out with whom I am actually contracting there?

I'll try to investigate this a bit with regard to controllership following GDPR in free software projects.

So just to be clear, personal data xonotic (the software only) may be collecting and sharing to 3rd party (game servers and stats.xonotic.org):

• UID
  
• IP-adress
  

Sensitive data collected: none, although one could mention that players should not pick any information as nickname they don't want to be available. Which kinda is common sense. AFAIK ip-adress does not count as sensitive data

What is lacking is a proper in-game information. The TOS is all nice and fine and I would consider them out of scope of this thread for now.
However as you can not be expected to look up tos online when launching the game it is required to have some sort of ingame mention.
As a fixer-upper having a clickable object that opens a site in the web browser is already better than nothing. (And that shouldn't take ages to implement).


Also the tos does not mention ip sharing anywhere, because yes, at that point it isn't required. In game it however has to be specified. So we can't just link TOS ingame.
We do need another one for ingame imho.

Ideally one would have an option for gameservers to provide their own TOS and have them easily accessible from within the game. However I understand this requires some actual work. But because xonotic effectively shares your ip with the server and thus its administrator anything could happen, like permanent logging of them (which is kinda the case for a lot of servers).

And concerning the "controller", if I understand the terms of gdpr correctly (I am not a lawyer!) this applies to stats only, so its actually responsibility of the ones hosting xonotic.org in the end. I have no clue who that actually is, but maybe thats also not such a good thing and should be mentioned somewhere.
As you have direct control in game (or should have) about how you share personal data on the in-game side of things a controller is not required as we provide the "automated process" that "only" forwards data in case you allow it. As such this is not a core field of the game itself but instead a core field of those that run stats.xonotic.org .

After a bit of talking/writing with packer on irc we put required changes in a bit of a structure (this reflects some of my hastily taken notes, so might be not completely what was talked about in irc).

So here are the 3 major steps:

1. Change first launch information:
   • Mention that the game has online features that require xonotic to use the clients ip to connect. (e.g. update.xonotic.org/checkupdate.txt)
     
   • Explain the tracking options more in-depth so that an educated decision on user side is possible and change selection toggles to reflect that. (provide link to website TOS for complete information)
     
   • Xonotic does not host official servers, every server inter-action is a 3rd party that can and most likely will log user ip and UID (UID might always be sent to server despite tracking setting because it is used for bans as well according to packer)
     
2. Prevent xonotic from establishing any connections (e.g. update check) before first-launch window has been completed (ok has been pressed).
   
3. Provide a way for server admins to notify the player about server TOS before joining the server.
   

Especially step 2 and 3 sound like actual effort possibly involving engine code etc.
This is why our goal for now should be to get step 1 rolling. Because that would already be a huge improvement in terms of compliance.

Current text in the welcome window: https://gitlab.com/xonotic/xonotic-data....run.qc#L39
Welcome to Xonotic, please select your language preference and enter your player name to get started.
You can change these options later through the menu system.
Name: <field> Textlanguage <selector>
Allow player statistics to use your nickname at stats.xonotic.org?
o yes   o no   x undecided

I would like to propose a change along these lines:
Welcome to Xonotic, please select your language preference and enter your player name to get started.
This game has online features that require your IP-adress to establish a connection.
Xonotic does not host its own official game servers. Any server you join in multiplayer may log your IP-adress and an unique identifier (UID) that has been generated with the first launch of the game.

Name: <inputfield> Textlanguage: <selection>


Allow player statistics to submit game information to stats.xonotic.org in connection to your UID?
o yes  x no

Allow player statistics to submit your nickname along game information? If you say no you will be listed as "Anonymous Player"
o yes  x no

For further information about stats.xonotic.org please head to [/url][url=https://www.xonotic.org/tos]https://www.xonotic.org/tos
You can change these options later through the menu system, but any information that has been transmitted until that point will remain.

Especially the settings about player statistics are still not precisely what is actually happening, as a modified server could still force stat sharing and ignore client setting, so again its technically in the hand of 3rd party. Also any server could specify another stat website than xonotic.org via g_playerstats_gamereport_uri.

What about CTS and CTF servers logging player records? Does it need to be handled somehow?

I considered that to be covered by stats.xonotic.org stuff, although one might argue servers log more especially in the case of cts.
However thats not personal data. So while not being "nice" to not mention it, not really required as it is vaguely mentioned with tracking in general.
To properly do this we need step 3, a way for server admins to provide their own server TOS.
But I really urge everyone here to take one step after another and not all at once, so that it seems massive and is ignored again...

Probably common knowledge for many, but perhaps there's a kind of people that should be made aware that they're responsible to things they say themselves online. The privacy laws don't protect you from things you type out in community servers/chats and the community has the faculties to quote/paste whatever you said. Referring to of course QuoteDB and the amount of lulz it has produced over the years.

I have had a good think about Xonotic and GDPR, but I can't really get to reasonable conclusions. So I figured I put this up for discussion here.
First of all, applicability - does the GDPR apply at all? To have the GDPR apply to Xonotic, this would require the controller to be subject to EU law. The problem is to find out who actually is the controller.
At this point I would need some sort of insight into the internal organization structure of the Xonotic team - from the information I find on the web the team consists of present and future contributors. So it looks to me like there is no real set of core team members that would be able to constitute some sort of organization that would qualify as legal person. That would mean the GDPR would apply to the natural persons involved directly where such person is living in the EU, since GDPR covers all sorts of data procession activities that is beyond personal/household purposes, be it by a legal or natural person (https://gdpr-info.eu/art-2-gdpr/). Responsibility would then probably be shared in form of joint controllership following Art. 26 GDPR (https://gdpr-info.eu/art-26-gdpr/).
I believe it would be much easier for everyone involved, if there was a legal person that is running Xonotic. Who is by the way holder of the name rights? Would it make sense to found some sort of association? Does anyone have experience how this sort of question (legal responsibility) is handled in other open source software projects?

And concerning the "controller", if I understand the terms of gdpr correctly (I am not a lawyer!) this applies to stats only, so its actually responsibility of the ones hosting xonotic.org in the end. I have no clue who that actually is, but maybe thats also not such a good thing and should be mentioned somewhere.
As you have direct control in game (or should have) about how you share personal data on the in-game side of things a controller is not required as we provide the "automated process" that "only" forwards data in case you allow it. As such this is not a core field of the game itself but instead a core field of those that run stats.xonotic.org .

Good point. However, to the extent the ones responsible for hosting stats.xonotic.org also take part in developing the stats end of the game software, it would require them to honor prinicples like "privacy by design" and "privacy by default". But true, developing software alone doesn't make you a "controller" in terms of GDPR, since that would not include the actual processing of data.

Wouldn't that also make every game server admin a controller, too? Isn't it the server that sends data to stats.xonotic.org (provided, the client allows it)? Even if the clients can choose whether or not to allow stats tracking, the server would be the one conducting the transfer to stats.xonotic.org and would therefore be responsible for this data processing...

I believe it certainly would be a good idea to implement best practices (properly inform, opt-in, automatic routines for deletion or information on stored personal data...). Maybe we could implement software solutions that allow stats.xonotic.org and server owners to comply with requests for information or deletion? That would be reasonably simple: adding a download and delete button to the menu for stats, that way the game could also handle authentication of the requesting person by using their personal key (so that data can only be retrieved by the player it belongs to). The same could maybe be implemented for servers in the server browser.

Implementing technical means to comply with GDPR requirements would also help to keep  the responsibility of the controller at a neglectible level. I would volounteer to help draft declarative texts and determine which data should be automatically retrievable.