Home The Bridge

DB/TP and Data Protection

Inspired by the recent in-game developments, which have lead to a lot of concerns regarding personal data, privacy and data protection, I thought it might be a good idea to address separately. This thread should not repeat feedback for the Offer Wall, we already have a thread for that. Please note that my own assessments constitute only my opinion. While I do have a professional background in data protection, I am not a lawyer.

A couple of general things worth pointing out:
  • The US, where DB/TP is headquartered, has a set of laws governing data protection different from, e.g., the European Union. However, Europe's data laws (mainly the already mentioned GDPR), mandate that a company that does business in the EU has to abide by these rules. Many of the current concerns are voiced by European players who suspect that their rights are not being observed properly.
  • The GDPR only concerns personalized data, i.e. data that is or can be attributed to a natural individual. However, even something as cryptic as an IP address already constitutes personal data (cf. https://www.twobirds.com/en/news/articles/2016/global/cjeu-decision-on-dynamic-ip-addresses-touches-fundamental-dp-law-questions).
  • The GDPR allows collection of data. However, in broad strokes, any collection of data needs to be lawful (there needs to be a legal ground for collection), have a limited scope (only data that is agreed upon or needed to render a service may be collected), and needs to be transparently communicated to the user.
  • The GDPR allows transmission of data into other countries. The EU even maintains a list of "secure" countries, and the US is not one of them. However, the EU and US maintain a joint framework (cf. Privacy Shield), under which companies can voluntarily comply with said rules. DB was basing their collection of data on this premise in their TOS, and they are still listed as active in the Shield's database. I could not find any reference to TP.
I am not an expert on such matters but I would assume that the TOS allows STT to share data with whatever third parties it chooses to do business with. Maybe I am wrong but I don't think they need to give us the option of which ones we want to choose.

Now, this I found intriguing. Mainly because I have been playing this game longer than the GDPR has been in effect. Generally speaking, their TOS do not override current law. As stated above, data collection needs to be lawful. The easiest solution to ensure this is asking for a user's informed consent. Now. DB's TOS detail which information they gather, and for what purposes they might pass on information to third parties. IronSource claims to collect their own data, though use of their SDK (i.e. the Offer Wall). Which is something the TOS to not cover, as far as I can tell. I still think this is problematic, because (again, opinion)...:
  • There is no contract, and no lawful grounds for TP's advertising partner to collect an individual user's data. Unless TP collects this data anyway, and only passes it on to their partner, in a contractual framework. I don't think this is accurate, as the ad plugin seems to collect data on its own. If it were accurate, TP and their partner would most likely be jointly responsible (Art. 26) for what is happening to these information.
  • The party collecting the data and passing it on (under whichever premise), is responsible for ensuring that their contractors are processing their data lawfully as well. "We didn't know" is not an excuse that would hold up in a court.
  • Any information a player has willingly given up (e.g. by filling in a survey with their actual data) is not a data protection issue, as far as DB/TP are concerned. Even though a good faith argument could be made, as DB/TP is indirectly linking to these predatory services.

I have seen several qualified posters in the other threads, and I would encourage them to chime in as well, as this could turn into an FAQ of sorts.
«134

Comments

  • Captain IdolCaptain Idol ✭✭✭✭✭
    Thank you for writing this up. Very informative and I hope we get some clarification on what TP/WRG will be doing to address these issues.
  • This topic is not something I've ever had to learn about for work or personal interest, so I have 0 knowledge on it.
    I'm just wondering what sort of personalized data we're actually talking about here.
    Our email address (and possibly password)? Our Facebook account and password for those who log in with their Fb credentials? All information related to purchases? Or just whatever it is we do in game?
    The app has no authorization to access anything else on the phone, so I guess it should be limited to our interactions with the app itself.
    (This is assuming that a player doesn't use the wall, as I don't plan to use it).
  • [TFA] CaptainObvious[TFA] CaptainObvious ✭✭✭✭
    edited June 2020
    I'm just wondering what sort of personalized data we're actually talking about here.
    Our email address (and possibly password)? Our Facebook account and password for those who log in with their Fb credentials? All information related to purchases? Or just whatever it is we do in game?
    The app has no authorization to access anything else on the phone, so I guess it should be limited to our interactions with the app itself.
    (This is assuming that a player doesn't use the wall, as I don't plan to use it).

    DB has laid out what kind of data they are collecting from users in their privacy policy. These are information they receive from the platform provider, i.e. Facebook, Apple, Google (wherever you play their game):
    • Your first and last name - should be obvious
    • Your profile picture
    • Your user ID on that network, "and other public data for your friends" - whatever that entails
    • Your login E-Mail - i.e. your AppleID, Google Account e-mail, etc.
    • gender, birthday, and "other information" that service makes available - again, whatever that includes

    On top of that, they collect on their own:
    • information about the device you're using the app from
    • information about your usage of the app (how often you log on, usage, "performance data" - however, they claim to not connect that to your other identifiable data

    They also lay out examples for services they use, that they might share your data with: "packaging, mailing and delivering purchases, answering customer questions about products or services, sending postal mail, providing billing and collection services, conducting customer surveys, and processing event registration". Of course, they reserve the right to amend the list as they see fit.

    TL;DR:
    Do they collect the password to your Facebook account? Most likely not (but if your Facebook ID and DBID use the same e-mail, you should under no circumstances use the same password for both).
    Purchase information (I assume you mean payment details)? Probably not, as long as you are using Apple as a platform.
    A lot of other things on your profile, your usage of the app? Possibly.
    Does the Wall collect data on top of that, even if you don't use it? Debatable, but very likely.
  • [TFA] CaptainObvious[TFA] CaptainObvious ✭✭✭✭
    edited June 2020
    Daev wrote: »
    I'd add that the license agreement and privacy policies which apply to the game are *NOT* what is listed at the bottom on the forum here but what is listed on the various App Stores and linked to in the game. They have not been updated to reflect the current ownership of the game.

    That is actually a little fuzzy as well. There is a passage in their PP, that in case of a merger/purchase, etc., our data can be passed on to their successor/buyer, etc., for the purposes detailed in the PP. So on paper, TP may do nothing else with that data that DB was not able to do as well.

    However, as pointed out by me and by someone else in the other thread earlier, TP currently does not subscribe to the US-EU Privacy Shield, which in my opinion puts them in a grey area.
  • Prime LorcaPrime Lorca ✭✭✭✭✭
    • Any information a player has willingly given up (e.g. by filling in a survey with their actual data) is not a data protection issue, as far as DB/TP are concerned. Even though a good faith argument could be made, as DB/TP is indirectly linking to these predatory services.

    I was with you, up until this point. If a player is consciously filling out a survey, then any data knowingly given is a consenting transaction between two parties. If you are talking strictly about data which is collected without the player's knowledge, then you could make a good faith argument against TP for doing business with IronWhatever.
    Farewell 🖖
    • Any information a player has willingly given up (e.g. by filling in a survey with their actual data) is not a data protection issue, as far as DB/TP are concerned. Even though a good faith argument could be made, as DB/TP is indirectly linking to these predatory services.

    I was with you, up until this point. If a player is consciously filling out a survey, then any data knowingly given is a consenting transaction between two parties. If you are talking strictly about data which is collected without the player's knowledge, then you could make a good faith argument against TP for doing business with IronWhatever.

    I don't really follow, I think we are on the same page. I was talking about the data willingly given up, which was the subject of a lot of posts in the other thread addressing privacy issues. You might have missed the tiny "not" in my paragraph? :)
  • Thank you for your explanation! :)
  • Prime LorcaPrime Lorca ✭✭✭✭✭
    • Any information a player has willingly given up (e.g. by filling in a survey with their actual data) is not a data protection issue, as far as DB/TP are concerned. Even though a good faith argument could be made, as DB/TP is indirectly linking to these predatory services.

    I was with you, up until this point. If a player is consciously filling out a survey, then any data knowingly given is a consenting transaction between two parties. If you are talking strictly about data which is collected without the player's knowledge, then you could make a good faith argument against TP for doing business with IronWhatever.

    I don't really follow, I think we are on the same page. I was talking about the data willingly given up, which was the subject of a lot of posts in the other thread addressing privacy issues. You might have missed the tiny "not" in my paragraph? :)

    I was referring to the "good faith argument" bit.
    Farewell 🖖
  • AviTrekAviTrek ✭✭✭✭✭
    • Any information a player has willingly given up (e.g. by filling in a survey with their actual data) is not a data protection issue, as far as DB/TP are concerned. Even though a good faith argument could be made, as DB/TP is indirectly linking to these predatory services.

    I was with you, up until this point. If a player is consciously filling out a survey, then any data knowingly given is a consenting transaction between two parties. If you are talking strictly about data which is collected without the player's knowledge, then you could make a good faith argument against TP for doing business with IronWhatever.

    I don't really follow, I think we are on the same page. I was talking about the data willingly given up, which was the subject of a lot of posts in the other thread addressing privacy issues. You might have missed the tiny "not" in my paragraph? :)

    I was referring to the "good faith argument" bit.

    Well, yes and no. The automatic collection without consent is, in my view, plain illegal, at least in the EU. No need to limit this to good faith.

    TP is currently linking to predatory websites, through their advertising partner. Users are paid TP's in-game currency as reward for giving up their data on those websites. At first glance, there seems to be a direct link between the two parties. Of course, in their TOS TP rejects all liability for third party services, and of course those websites collect something that could be construed as a separate agreement. But one should not have to read legalistic fine print in order to find that out, if all the obvious signs point to the opposite. Again, I'm not a lawyer, so I might be totally on the wrong track here.

    I'm not a lawyer, but I think you are on the wrong track. What TP collects is TP's responsibility. They need to follow their own TOS and comply with all legal requirements where they operate. What TP shares with 3rd parties also falls under that. However, if you go accept one of the offers and then agree to whatever TOS that 3rd party has, your issue is with that 3rd party not TP. If that 3rd party is in violation of local laws, it's the 3rd parties responsibility to fix it.

    TL/DR: If TP shared player information with ironSource outside of what is allowed by the TOS or local laws, TP is in trouble. If you agree to any ironSource offers, then you accepted the survey/apps privacy policy and the only question is if those policies violate local laws.
  • Prime LorcaPrime Lorca ✭✭✭✭✭
    • Any information a player has willingly given up (e.g. by filling in a survey with their actual data) is not a data protection issue, as far as DB/TP are concerned. Even though a good faith argument could be made, as DB/TP is indirectly linking to these predatory services.

    I was with you, up until this point. If a player is consciously filling out a survey, then any data knowingly given is a consenting transaction between two parties. If you are talking strictly about data which is collected without the player's knowledge, then you could make a good faith argument against TP for doing business with IronWhatever.

    I don't really follow, I think we are on the same page. I was talking about the data willingly given up, which was the subject of a lot of posts in the other thread addressing privacy issues. You might have missed the tiny "not" in my paragraph? :)

    I was referring to the "good faith argument" bit.

    Well, yes and no. The automatic collection without consent is, in my view, plain illegal, at least in the EU. No need to limit this to good faith.

    TP is currently linking to predatory websites, through their advertising partner. Users are paid TP's in-game currency as reward for giving up their data on those websites. At first glance, there seems to be a direct link between the two parties. Of course, in their TOS TP rejects all liability for third party services, and of course those websites collect something that could be construed as a separate agreement. But one should not have to read legalistic fine print in order to find that out, if all the obvious signs point to the opposite. Again, I'm not a lawyer, so I might be totally on the wrong track here.

    I'm also not a lawyer. And I agree that collecting without knowledge is immoral everywhere and illegal in some countries. But when you tap the offer wall button, then you are taken out of the game to a screen that looks nothing like the game. In my opinion, anything that happens past that point is a transaction between two consenting parties. Either you are willing to do things for dilithium or you are not. I personally do not plan to. But I don't want to stop anyone who is willing. That's just not my style.
    Farewell 🖖
  • @Prime Lorca [10FH] and @AviTrek, I absolutely agree, and I said something along those lines in my initial statement as well. If you gave up your data willingly to a third party, legally, your issue is not with TP. But I also think TP currently does not exactly go out of their way to draw that line, and many players might fall victim to the trust they have established in DB/TP. Certainly no law firm would touch this issue, but I assume any consumer protection body would be all over it.
  • Prime LorcaPrime Lorca ✭✭✭✭✭
    • Any information a player has willingly given up (e.g. by filling in a survey with their actual data) is not a data protection issue, as far as DB/TP are concerned. Even though a good faith argument could be made, as DB/TP is indirectly linking to these predatory services.

    I was with you, up until this point. If a player is consciously filling out a survey, then any data knowingly given is a consenting transaction between two parties. If you are talking strictly about data which is collected without the player's knowledge, then you could make a good faith argument against TP for doing business with IronWhatever.

    I don't really follow, I think we are on the same page. I was talking about the data willingly given up, which was the subject of a lot of posts in the other thread addressing privacy issues. You might have missed the tiny "not" in my paragraph? :)

    I was referring to the "good faith argument" bit.

    Well, yes and no. The automatic collection without consent is, in my view, plain illegal, at least in the EU. No need to limit this to good faith.

    TP is currently linking to predatory websites, through their advertising partner. Users are paid TP's in-game currency as reward for giving up their data on those websites. At first glance, there seems to be a direct link between the two parties. Of course, in their TOS TP rejects all liability for third party services, and of course those websites collect something that could be construed as a separate agreement. But one should not have to read legalistic fine print in order to find that out, if all the obvious signs point to the opposite. Again, I'm not a lawyer, so I might be totally on the wrong track here.

    I'm also not a lawyer. And I agree that collecting without knowledge is immoral everywhere and illegal in some countries. But when you tap the offer wall button, then you are taken out of the game to a screen that looks nothing like the game. In my opinion, anything that happens past that point is a transaction between two consenting parties. Either you are willing to do things for dilithium or you are not. I personally do not plan to. But I don't want to stop anyone who is willing. That's just not my style.

    I’m of the position that there is nobody else playing this game I care for so little that I would want them to be at risk of identity theft, which is a very real possibility given the quality of the offers on the wall. Consent is important, but informed consent is far more important. And right now, I don’t think that’s even possible until we learn more about how our data is being used.

    I don't entirely disagree. But at the same time, if VIP0 wants to score some dilithium for taking a survey or playing a few levels of another game, then I think it's a bit elitist to tell them that they can't do that. I'll post "buyer beware" anywhere and everywhere that I can. But at the end of the day, what people choose to do is on them. Which is to say that if there is no choice then I have a huge problem.
    Farewell 🖖
  • Prime LorcaPrime Lorca ✭✭✭✭✭
    • Any information a player has willingly given up (e.g. by filling in a survey with their actual data) is not a data protection issue, as far as DB/TP are concerned. Even though a good faith argument could be made, as DB/TP is indirectly linking to these predatory services.

    I was with you, up until this point. If a player is consciously filling out a survey, then any data knowingly given is a consenting transaction between two parties. If you are talking strictly about data which is collected without the player's knowledge, then you could make a good faith argument against TP for doing business with IronWhatever.

    I don't really follow, I think we are on the same page. I was talking about the data willingly given up, which was the subject of a lot of posts in the other thread addressing privacy issues. You might have missed the tiny "not" in my paragraph? :)

    I was referring to the "good faith argument" bit.

    Well, yes and no. The automatic collection without consent is, in my view, plain illegal, at least in the EU. No need to limit this to good faith.

    TP is currently linking to predatory websites, through their advertising partner. Users are paid TP's in-game currency as reward for giving up their data on those websites. At first glance, there seems to be a direct link between the two parties. Of course, in their TOS TP rejects all liability for third party services, and of course those websites collect something that could be construed as a separate agreement. But one should not have to read legalistic fine print in order to find that out, if all the obvious signs point to the opposite. Again, I'm not a lawyer, so I might be totally on the wrong track here.

    I'm also not a lawyer. And I agree that collecting without knowledge is immoral everywhere and illegal in some countries. But when you tap the offer wall button, then you are taken out of the game to a screen that looks nothing like the game. In my opinion, anything that happens past that point is a transaction between two consenting parties. Either you are willing to do things for dilithium or you are not. I personally do not plan to. But I don't want to stop anyone who is willing. That's just not my style.

    I’m of the position that there is nobody else playing this game I care for so little that I would want them to be at risk of identity theft, which is a very real possibility given the quality of the offers on the wall. Consent is important, but informed consent is far more important. And right now, I don’t think that’s even possible until we learn more about how our data is being used.

    I don't entirely disagree. But at the same time, if VIP0 wants to score some dilithium for taking a survey or playing a few levels of another game, then I think it's a bit elitist to tell them that they can't do that. I'll post "buyer beware" anywhere and everywhere that I can. But at the end of the day, what people choose to do is on them. Which is to say that if there is no choice then I have a huge problem.

    If the threat to our data only existed inside the wall, I would agree with you a lot more than I do under the current circumstances.

    Yep. I kind of think there's a lot riding on that answer.
    Farewell 🖖
  • Cpt_insano_2k1Cpt_insano_2k1 ✭✭✭✭✭
    edited June 2020
    • Any information a player has willingly given up (e.g. by filling in a survey with their actual data) is not a data protection issue, as far as DB/TP are concerned. Even though a good faith argument could be made, as DB/TP is indirectly linking to these predatory services.

    I was with you, up until this point. If a player is consciously filling out a survey, then any data knowingly given is a consenting transaction between two parties. If you are talking strictly about data which is collected without the player's knowledge, then you could make a good faith argument against TP for doing business with IronWhatever.

    I don't really follow, I think we are on the same page. I was talking about the data willingly given up, which was the subject of a lot of posts in the other thread addressing privacy issues. You might have missed the tiny "not" in my paragraph? :)

    I was referring to the "good faith argument" bit.

    Well, yes and no. The automatic collection without consent is, in my view, plain illegal, at least in the EU. No need to limit this to good faith.

    TP is currently linking to predatory websites, through their advertising partner. Users are paid TP's in-game currency as reward for giving up their data on those websites. At first glance, there seems to be a direct link between the two parties. Of course, in their TOS TP rejects all liability for third party services, and of course those websites collect something that could be construed as a separate agreement. But one should not have to read legalistic fine print in order to find that out, if all the obvious signs point to the opposite. Again, I'm not a lawyer, so I might be totally on the wrong track here.

    I'm also not a lawyer. And I agree that collecting without knowledge is immoral everywhere and illegal in some countries. But when you tap the offer wall button, then you are taken out of the game to a screen that looks nothing like the game. In my opinion, anything that happens past that point is a transaction between two consenting parties. Either you are willing to do things for dilithium or you are not. I personally do not plan to. But I don't want to stop anyone who is willing. That's just not my style.

    I’m of the position that there is nobody else playing this game I care for so little that I would want them to be at risk of identity theft, which is a very real possibility given the quality of the offers on the wall. Consent is important, but informed consent is far more important. And right now, I don’t think that’s even possible until we learn more about how our data is being used.

    I don't entirely disagree. But at the same time, if VIP0 wants to score some dilithium for taking a survey or playing a few levels of another game, then I think it's a bit elitist to tell them that they can't do that. I'll post "buyer beware" anywhere and everywhere that I can. But at the end of the day, what people choose to do is on them. Which is to say that if there is no choice then I have a huge problem.

    If the threat to our data only existed inside the wall, I would agree with you a lot more than I do under the current circumstances.

    Yep. I kind of think there's a lot riding on that answer.

    Agreed. And with the answer to that question being the easiest to provide/confirm/deny by the devs, each second that goes by without getting that answer makes me more inclined to believe that the devs don’t want to freak everyone out with the truth.
  • DaevDaev ✭✭✭
    This was the update I could make at the time.
    Shan wrote: »
    This was the update I could make at the time.

    Shan,

    Sorry, I'm really thrown by this.

    Am I entirely mis-reading this or are you suggesting that you were speaking in a personal capacity and not as a representative of the game/company?

    If so, can you tell us how we can tell the difference in your posts please? I think that's a really important distinction to be honest.

    Thanks
  • Prime LorcaPrime Lorca ✭✭✭✭✭
    Shan wrote: »
    Daev wrote: »
    This was the update I could make at the time.
    Shan wrote: »
    This was the update I could make at the time.

    Shan,

    Sorry, I'm really thrown by this.

    Am I entirely mis-reading this or are you suggesting that you were speaking in a personal capacity and not as a representative of the game/company?

    If so, can you tell us how we can tell the difference in your posts please? I think that's a really important distinction to be honest.

    Thanks

    I understand what you mean, and this is delicate for me as well as I am trying to keep the dialog open and provide some reassurance. This update was done based on my position in the studio, and what I knew of the situation at the time.

    A more complete review/response will be provided by the Privacy Team, and will be clearly labeled as such.


    So if new information became available that contradicted the original statement, I'm pretty sure Shan would let us know.
    Farewell 🖖
  • (HGH)Apollo(HGH)Apollo ✭✭✭✭✭
    Sadly in the United States there is very weak internet privacy laws. I assume everything done on the internet is being collected and sold by multiple internet companies. The best way to make changes is to vote for politicians that promise to do something about strengthening privacy laws and then hold those politicians to their promises. That is the only way things will change.
    Let’s fly!
  • LjofaLjofa ✭✭✭

    TL;DR:
    Do they collect the password to your Facebook account? Most likely not (but if your Facebook ID and DBID use the same e-mail, you should under no circumstances use the same password for both).
    Purchase information (I assume you mean payment details)? Probably not, as long as you are using Apple as a platform.
    A lot of other things on your profile, your usage of the app? Possibly.
    Does the Wall collect data on top of that, even if you don't use it? Debatable, but very likely.

    It’ll also include in-game chat where comments can be individually attributed in case laws are broken.
  • AviTrekAviTrek ✭✭✭✭✭
    Ljofa wrote: »

    TL;DR:
    Do they collect the password to your Facebook account? Most likely not (but if your Facebook ID and DBID use the same e-mail, you should under no circumstances use the same password for both).
    Purchase information (I assume you mean payment details)? Probably not, as long as you are using Apple as a platform.
    A lot of other things on your profile, your usage of the app? Possibly.
    Does the Wall collect data on top of that, even if you don't use it? Debatable, but very likely.

    It’ll also include in-game chat where comments can be individually attributed in case laws are broken.

    I would be shocked if they share anything related to in game chat. That's not something that an integration API would have any access to without setting it up specifically, and I doubt TP would do that.

    Purchase Information would not mean payment details, it means how often you're purchasing and how much you're spending. I would expect that kind of data is being shared and is already disclosed as being shared for other ad partners.
  • ~peregrine~~peregrine~ ✭✭✭✭✭
    Daev wrote: »
    Shan wrote: »

    I understand what you mean, and this is delicate for me as well as I am trying to keep the dialog open and provide some reassurance. This update was done based on my position in the studio, and what I knew of the situation at the time.

    A more complete review/response will be provided by the Privacy Team, and will be clearly labeled as such.

    I get where you are coming from and I do appreciate that you are treading a balance here but I really don't think that it is fair to us as players/customers to be given some fairly definitive information to later find out it is your opinion on it rather than a fully informed answer.

    I don't mean any disrespect or to cause you any issues but I would ask you to reconsider any statements like that or to make them clearer if you are just speaking to your understanding rather than the specifics.

    Thanks

    This post exemplifies respect. I will try my best to emulate you, @Daev , because you just turned on a light for me. I sincerely thank you. 🖖
    "In the short run, the game defines the players. But in the long run, it's us players who define the game." — Nicky Case, The Evolution of Trust
Sign In or Register to comment.