GDPR

Discussion in 'Spigot Discussion' started by Bean900, Jun 5, 2018.

  1. Heyo,
    Since the GDPR has been around in europe for a short time, I was wondering if there is a need in the community for a plugin that tries to cover all aspects. Possibly you can give me feedback :) I've got time and energy to develop something for this.

    Bean
     
    #1 Bean900, Jun 5, 2018
    Last edited: Jun 5, 2018
    • Like Like x 1
  2. Do you mean the GDPR? If so then its only required for personal information. I don't think you would need to meet the requirements if you are simply storing player data.
     
  3. Just for your information DSGVO (Datenschutz-Grundverordnung) is just the German name. In an English forum I would refer to it as GDPR (General Data Protection Regulation). Don't mean to offend.
    At the moment I am working on something similar and I think it would be a good idea.
     
  4. Sadly the GDPR does indeed cover information like IP-addresses and online time (server usage) which some plugins save and even the server logs contain information like IPs and online time.
     
    • Informative Informative x 1
  5. So like a plugin that asks the player to accept that we are collecting data on them? Could be cool.
     
    • Agree Agree x 2
  6. I've seen that before on some German servers where you have to accept it before you can play.
     
  7. Yes I meant GDPR :D

    I think it's easy to just offer a kind of confirmation button. But there is much more. For example, an interface for deleting data.

    If you want we can maybe work together on this plugin Ignirion?

    Maybe we can find a way to stop displaying the IP addresses in the log, for example.
     
  8. Stop logging the IP address is almost impossible, because it's not only in the server.log. Plugins like Essentials etc use it, and some plugins like AuthMe depend on it.

    Deleting data would only work if there is a API implementation for it, so every plugin would have to hook into it.

    If you want to stop displaying it from the log anyway you can do that with a Log4J filter, it's pretty simple.
     
  9. Surely the log is covered by mojang's notice?

    https://minecraft.net/en-us/privacy/gdpr/
     
  10. For people wondering: No, you don't need to ask permission to keep IP addresses. As long as you keep the IP addresses to prevent fraud and ensure system security, you really do not need to ask for content regarding this, nor are you forced to delete this whenever someone requests you to delete it. See GDPR article 6, paragraph 1, point F and recitel 49.

    See here: https://gdpr-info.eu/art-6-gdpr/

    As for a short explanation of what that page says: It basically says you're allowed to keep data only if one of the 6 principles apply (section 1, point A to F). In our case, point F applies, because we have legitimate interest in keeping these IP addresses with an actual solid reason, which is to ensure safety of our players (for example, IP banning). The law states that you still have to mention whenever you fetch this data, so it should be mentioned in your privacy policy. However, if you scroll down to the recitals, you'll see recitel 49; "Network and information security as overriding legitimate interest". Basically, the recitels (if I understand correctly) are special exceptions to whether you must ask for content or not.

    I've been looking for a way to get rid of the IP logging in the default Spigot log, how should one override that? Can it simply be done with a simple log4j configuration somewhere? If so, got an example? I never really got my head around configuring log4j. I asked md_5 about this but it seems like he either didn't take me serious or just doesn't care about it.

    Also note that I strongly believe that UUID's are NOT personal data. That would just be way too overkill in so many ways, we cannot identify a natural person with just a UUID alone. Having mentioned that, the IP address is about the only thing your MC server keeps as personal data, which, according to recitel 49, doesn't require content, meaning you don't need any "I accept" button. It's still mandatory putting this on your website somewhere in a privacy policy. You could take mine as an example, possibly (I am no lawyer, just a guy who spent a week Googling, don't blindly take my word on any of this, do your homework as well).

    Why would it? The entire reason Mojang came up with a new, enforced EULA a few years ago is because they want to make it very clear that Mojang and Minecraft servers have no relationship what so ever and they are not responsible at all for what they (we, as servers) do. We are on our own.
     
    #10 MrDienns, Jun 5, 2018
    Last edited: Jun 5, 2018
    • Informative Informative x 3
  11. Ah that's good to know with the IP addresses. However, data like the Buildlog or the online time must be deleted or anonymized on request according to my understanding.
     
  12. I've done it with a Log4J Filter, this is some old code I found somewhere in an old project and then edited to fit my needs (especially for AntiBotDeluxe), I'm currently working on a different method anyway but this works.

    The filter itself: https://hastebin.com/ruzunugefa.java
    Applying filter: https://hastebin.com/taruyiferi.java
     
    • Useful Useful x 2
  13. Not at all. The GDPR protects someone's personal data. Aka, your real name, address, e-mail address, IP address, etc. Anything that can be used to directly or indirectly identify a natural person is a piece of personal data, according to the law. Any game related data is not related to this at all, there's no need to delete anything. Similar when you have a forums and someone asks to remove your personal data, you can just delete the e-mail from the account, deactivate the account, rename it, but you can perfectly fine leave all of the posts the account made as is. Just because someone made a removal request doesn't mean you need to delete every single tiny bit of info relating to that person, just personal data.

    That seems easy enough. Thank you.
     
    • Agree Agree x 1
    • Informative Informative x 1
    • Useful Useful x 1
  14. I like the fact that european union changed some of the laws for personal data and released GDPR. Now sites load 300 times faster + protects your internet data. This is so cool. Also GDPR cant hide our ips' from the sites that we went in.
     
  15. The thing with "personal data" is that anything that relates to an identifiable person is declared to be personal data. Sure if you don't have the IP address or any names you can't identify the person anymore, but "personal data" is a lot more than just the information that is used to identify a person. Source: https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en
    & https://gdpr-info.eu/art-4-gdpr/

    But since anonymizazion works too, you probably really just need to delete the IP-addresses.
    However I am not quite sure if you can or cannot use an UUID to idetify a IP-address or a real person.
     
    #15 Ignirion, Jun 5, 2018
    Last edited: Jun 5, 2018
    • Informative Informative x 2
  16. UUIDs are related to the account not the person. However it might be a good idea to make players agree to the t&cs anyway (just to be safe, cause we're not lawyers).
     
    • Agree Agree x 4
  17. This really is a very debatable subject, really. Honestly I find it quite sad that some of the SpigotMC developers (like md_5) refuse to enlight us about these kind of things (or rather, GDPR threads are being locked because it's against the forum rules to discuss legal things). In a sense, you could say that the IP address is related to a computer and not the person and the e-mail address is related to an inbox, not a person (that was a joke, by the way). There are many ways you can respond to these kind of things, but overall, the GDPR says its a piece of personal data if it can be used directly or indirectly to identify a natural person. It is simply from top to bottom absolutely impossible for us to identify a natural person with just a UUID. In fact, the UUID isn't even going to help us with identifying a natural person if you combine it with other pieces of data.

    From article 4 that @Ignirion linked:

    ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

    They do mention online identifiers, but I'm pretty sure they mean an IP address with this. An IP address can be used to pinpoint a computer, which relates to an actual location (usually the home address of a person, if using a normal desktop). A Minecraft UUID is really nothing more than just an account ID... It doesn't relate to any IP, it doesn't relate to any address, e-mail address, home address, or someone's full name (only payment information of the Minecraft account iself, which we, again, don't have and will never get access to). I really do not see why Spigot is not taking the time and money to just make a simple statement about this.
     
    #17 MrDienns, Jun 5, 2018
    Last edited: Jun 5, 2018
    • Like Like x 2
    • Agree Agree x 1
    • Useful Useful x 1
  18. electronicboy

    IRC Staff

    I mean, it's against the rules; and I'm really not sure what you're expecting beyond md to go out and pay for a lawyer to provide a blanket statement which would more than likely leave the entire topic as grey as it already is. If *you* want advice around *your* data usage and how it's affected by the GDPR, speak to a lawyer.

    general guidelines around the web which you can google say otherwise, and is the exact reason why spigot enforces the "no legal talk" on here.
     
  19. Cubecraft has created a plugin where when you logon, you have to agree to their privacy policy to continue playing (their servers are based in the UK I believe?). You can see their privacy policy here https://www.cubecraft.net/help/privacy-policy, which may be of help.
     
  20. This was an example to how you could "shit post" (I dont know what else to call it) your way around any statement the law makes, as somewhat of an examplemairy result of:
    so ofcourse, that followup statement of me was not meant to be taken serious. It was meant as a silly example.

    Yes, it's mostly our problem, but clearly more people are running into the exact same thing. I'm perfectly fine with Spigot not doing much as a response to the GDPR, but right now it (not meant as any kind of offensive) seems like the GDPR went over Spigot's head and they couldn't care less about any of it. Spigot doesn't even have a privacy policy at all, and I wouldn't find it very unusual for a software distributor to at least inform us about potential changes in a law that may or may not affect us. Right now, we don't get anything. If Spigot wants to prevent people from discussing these kind of things (which more and more people are starting to worry about), then Spigot should be making an actual statement themselves so we don't need to go over all of the hassle of making threads, doing our own research, getting our threads locked, etc etc. Yes, this is mostly our problem, yes it is "our" data, yes it's against the rules, but with all due respect, from a community perspective, I'd make an exception this one time (or help us out with an official statement).
     
    • Agree Agree x 3