GDPR and Minecraft Communities - Thoughts and discussion?

Discussion in 'Server & Community Management' started by mywarthog, Nov 24, 2017.

?

Gneeral thoughts on the EU GDPR?

  1. Love it

    7 vote(s)
    20.0%
  2. Some good, some bad

    17 vote(s)
    48.6%
  3. Hate it

    11 vote(s)
    31.4%
  1. Hopefully this type of a post is okay here.

    Just a question out of curiosity for those that administrate/own Minecraft communities here. What's your stance on the European Union GDPR? More specifically:

    - What country do your base your servers out of
    - Do you have any intent to comply with the EU law
    - Assuming no to the former question, are you going to just be practicing non-compliance, or firewalling off users from within the EU
    - What's your general opinion of it... both from the perspective of a server administrator and of that as an end user

    For my personal answers if anyone's interested, since it wouldn't be right for me to ask without disclosing my own personal views on it:
    - We're completely based out of the United States, but (currently) welcome all users internationally.

    - Being an American gaming community, soverignty is very important to us as Americans in general. I'm not 100% sure on where we stand on this yet (hopefully this discussion may provide some insight/perspective to myself as well as others that are on the fence).

    - Assuming no compliance, we'd probably just make a very clear cut privacy policy stating that the user gives us the right to indefinitely retain the data and not process erasure requests. At the very least, there's no way that we're going to require the age of 16 and under to have parental consent... there's nothing wrong with the age of 13 already set forth by COPPA. A firewall/geoblock is an option too, of course.

    - As a server and a community administrator, I take a strong issue with the right to erasure, as well as the newly defined age limits. We indefinitely retain all logs, usernames, player information, IP addresses, etc for administrative and moderation purposes. Posts and user created content... we have a strong policy of don't post anything personally identifying as it is... but we still have the fear that we could be ordered to remove posts and content through the EU law, if we chose to comply with it. Demanding the erasure of this material creates many organizational security risks that are simply too big for us to be willing to take. Also, the new age requirements will severly damage the communities here that rely on a younger audience. As an end user, I strongly agree with the restriction of non-consented commercial sale of customer data (personally, I don't think this one goes far enough in some aspects... I think it should be required that consent is given on a provider by provider basis (ie, Google AdSense, Facebook Ads, etc), as well as the fact that breaches where individual financial security is at a risk must be reported (although I would lengthen this to a week... just a few days may not be long enough depending on the business and the specific circumstances of the hack). In general... I think that while there are good points to the GDPR, the non-discriminate/strict/overreaching right to erasure as well as where it wants to enforce it on businesses and organizations that do not have any kind of interest in the EU (apart from customers/users that visit the American servers) are a deal-breaker for my support of the GDPR. Kinda if like an American convenience shop had to follow Russian commerce laws (in terms of what they were allowed to buy, use, etc) for a Russian citizen. Outside of Minecraft, I think that the fines are a bit large, and the costs of compliance will obviously be passed to the consumers.

    For full disclosure, the community we operate does not directly handle payments/transactions/etc. We currently rely solely on donations, and handle all donations through PayPal.

    Thoughts? Pick and choose which questions, or answer all the questions... either-or is fine.
     
  2. As I am working on developing what (I hope) amounts to a fairly large server userbase, I am taking the GDPR pretty seriously, but there are some areas of the law that are so vague that I think it will be difficult to enforce some of the regulations. I also wonder how much is already going to be covered for us because of how Minecraft itself (and thus Microsoft) handles their compliance.

    For example, if Minecraft requires parental consent for those under 16 to play, then do we server owners need to also get that parental consent? If the server host is not compliant with the GDPR, then do the server admins need to adjust our practices in order to make sure we're covered or should we just find a new host?

    I am creating a plugin that requires the tracking of blocks placed by a individual users. Those accounts are stored on the server so that the plugin can reference blocks related to that account. If it is requested that I delete a user's account, does that include all of the blocks which that player placed which also reference that account? Do I need to delete all gathered statistics data, permissions, worldguard regions, etc... that are associated with that user?

    If I add a user and their IP address to a ban list, and then I am required to remove all data related to that individual from my databases, does that mean that I need to remove their name/IP from the ban list as well, or do I keep it there to ensure that they don't ever access my server again? Or does that fall under "Freedom of Expression" or my right to protect the public interest of my other users?

    It would be nice for someone well-versed in GDPR legalese to help get some answers on this subject so that we can make take the appropriate measures to stay compliant.

    For now, region-blocking the EU might be the best bet until those answers can be determined.
     
  3. Just out of curiosity, where are you based? If you're in the states, I'm still banking on this being non-enforceable, even when EU data subjects are directly involved. it's like if someone from India walked into an American storefront, that store's not bound to Indian consumer laws. I'm tempted to contact a lawyer to discuss this with them in more detail, honestly.

    This is unclear and I have seen both answers for similar situations, but the answer seen more often is "yes" to all those scenarios. IP addresses are kinda tricky - you can keep the IP addresses, but must remove all other related identifiable information. Freedom of expression is not really clear.

    People that are well versed keep giving conflicting answers. The region-block may be the safest bet, albeit damaging to your audience. Hopefully the US government wakes up soon and learns about this, and does something to prevent this. America and the EU have always had a wide variance in stances when it comes to data privacy... EU is playing with fire when it tries to enforce laws outside of its borders.
     
  4. I'm in the States.

    Certainly it's true that a sovereign nation can't impose laws on other nations (outside of international laws that are agreed upon by the UN and other such groups), but a nation (or the EU as a whole) could block a non-compliant server from being accessed by citizens. That could put a pretty big damper on the community morale.

    Are you leaning towards being compliant?
     
  5. This wouldn’t actually apply to minecraft servers. Unless you collect personally identifiable information (minecraft uuid’s and ip addresses, usernames aren’t personally identifiable) you don’t need to erase anything from your server. Mojang and Microsoft are responsible to ensure players have parental consent to play the game, you are responsible to ensure the law is followed on your website only, if you are hosted by a site like enjin, they are responsible as you need an enjin account to access and use the website. Your payment processing is also responsible. The only time you would be responsible is if you collect personal information yourself, host your own forums, or process your own payments.
     
  6. The EU considers all of that to be PII, including IP Address. If you want to comply, you would have to treat server logs in respect to the GDPR.

    However, I have some more information that indicates that this is unenforceable outside of the EU. Will post more later on tonight.
     
  7. UUiD’s aren’t owned by the players, it’s owned by Microsoft and all it does is connect to the main minecraft server and give your server limited information such as players minecraft name and skin. The IP is already enforceable in the USA, you can’t shaye the players IP. So nothing changes.
     
  8. It falls under psuedoanonymization or whatever it's called. If it can be connected to a username, it's PII. EU says you must delete IPs upon request, or delete all other relatable records to the IP in order to allow the IP to remain stored.

    Anyways. This is unenforceable in the United States due to:
    https://www.law.cornell.edu/uscode/text/47/230#
    ECPA of 1986, specifically Title II

    Both of those specifically apply to any service based in or hosted exclusively within the United States borders, regardless of audience or clientbase. The EU can not enforce a law that conflicts with and/or restricts US law.

    In short, if someone complains, just send them this:
    [​IMG]
     
  9. Yes, you are absolutely correct. However What i was saying is your minecraft server itself is fully protected if you do simple things. Minecraft gives users the UUID to connect to servers, this appears in the logs and plugin flat files and databases. This data doesn't stay on your server indefinitely. Your server will purge logs older than 30 days on restarting your server, many plugins such as block logging plugins delete inactive users past a certain date (30 is what I've seen). You have 30 days to comply with requests, so literally no issues there. The only exception is banned users, which you can fight any EU requests with security issues, by removing the IP from your system, you allow a user on your system that has broken a rule or law in your area. You're already required to safeguard information such as IP addresses, which is why you don't allow players access to such information.

    Otherwise, you don't need to worry about following the law because you can simply state that your server is intended to be used by US players only and by entering your server players agree to adhere to the US terms and conditions.

    Also, your picture literally made me LOL
     
  10. We turn off log rotations and indefinitely archive. We have had situations where we have had to access logs months later. This is one of the "non-negotiables" of the GDPR for us.

    Which is what we'd do. But even in the case of us attracting EU players (in the sense that the EU is a part of the worldwide audience), I have an extremely hard time that the EU actually has the power to enforce the law on a US company. And a hard time believing that the US government would allow for the enforcement of such a law.

    Oh, come on... Comic Papyrus isn't that bad... :p

    (...is it?)
     
  11. After reviewing it. I realized something. We can't comply with the new EU regulations. We need to have a terms of service in the united states which is full of legalize stuff. But we as server owners don't collect ambiguous data, only unambiguous data with the exception of the IP address. In which case, if the EU wants me to remove a banned members IP address, they they can come over to the US and try to force me to remove it. I'm pretty sure it wouldn't happen since I have no offices in the EU and they can find a duck to suck.

    on another note, my server has no intention on keeping data indefinitely except banned players UUID/IP addresses to keep other players safe. I will keep my 30 day purge on my server for many reasons. Logs are massive, they take up way too much space, and I have no intention of letting it sit on my server indefinitely. Same goes for database logs, I only need them to roll things back, that's it, once the purpose is done, the freed up storage space gets re purposed. As far as Europeans requesting data deletion for there privacy (were an english only server, and UK is now in brexit so not part of the EU) we will gladly do so on our server, but our website's data is controlled by Enjin, you signed an agreement with them, not us, you would have to talk to them to remove your information, not us. As far as UUID's and usernames, that is controlled by Microsoft, so if you wanted UUID's and usernames removed, you would need to speak with Microsoft, not us. UUID's are whats used to connect you to an online mode server, without Minecraft's handshake server, UUID's are pointless even if some one did hack your server, they wouldn't get much without the other server. And if some one hacked your server, you should speak with your host, they need to ensure they offer encryption and protection for your server.
     
  12. We keep the data because our community has had some pretty serious issues that resulted in bans, and then months later, new evidence combined with old evidence shed new light on the situations. We just store the old logs on a NAS in compressed zip files. Data deletion is also something we do to an extent. We don't indefinitely delete accounts (we will deactivate them and change the username upon request, but the old username stays logged internally), and we allow specific deletion requests to very personal things such as names, addresses, photos and phone numbers. Also, the GDPR states that Microsoft can (translation: is legally obligated to) force you to remove that info should they get a request to remove it.
     
    #12 mywarthog, Nov 28, 2017
    Last edited: Nov 28, 2017

Share This Page