DB/TP and Data Protection
[TFA] CaptainObvious
✭✭✭✭
in The Bridge
Inspired by the recent in-game developments, which have lead to a lot of concerns regarding personal data, privacy and data protection, I thought it might be a good idea to address separately. This thread should not repeat feedback for the Offer Wall, we already have a thread for that. Please note that my own assessments constitute only my opinion. While I do have a professional background in data protection, I am not a lawyer.
A couple of general things worth pointing out:
Now, this I found intriguing. Mainly because I have been playing this game longer than the GDPR has been in effect. Generally speaking, their TOS do not override current law. As stated above, data collection needs to be lawful. The easiest solution to ensure this is asking for a user's informed consent. Now. DB's TOS detail which information they gather, and for what purposes they might pass on information to third parties. IronSource claims to collect their own data, though use of their SDK (i.e. the Offer Wall). Which is something the TOS to not cover, as far as I can tell. I still think this is problematic, because (again, opinion)...:
I have seen several qualified posters in the other threads, and I would encourage them to chime in as well, as this could turn into an FAQ of sorts.
A couple of general things worth pointing out:
- The US, where DB/TP is headquartered, has a set of laws governing data protection different from, e.g., the European Union. However, Europe's data laws (mainly the already mentioned GDPR), mandate that a company that does business in the EU has to abide by these rules. Many of the current concerns are voiced by European players who suspect that their rights are not being observed properly.
- The GDPR only concerns personalized data, i.e. data that is or can be attributed to a natural individual. However, even something as cryptic as an IP address already constitutes personal data (cf. https://www.twobirds.com/en/news/articles/2016/global/cjeu-decision-on-dynamic-ip-addresses-touches-fundamental-dp-law-questions).
- The GDPR allows collection of data. However, in broad strokes, any collection of data needs to be lawful (there needs to be a legal ground for collection), have a limited scope (only data that is agreed upon or needed to render a service may be collected), and needs to be transparently communicated to the user.
- The GDPR allows transmission of data into other countries. The EU even maintains a list of "secure" countries, and the US is not one of them. However, the EU and US maintain a joint framework (cf. Privacy Shield), under which companies can voluntarily comply with said rules. DB was basing their collection of data on this premise in their TOS, and they are still listed as active in the Shield's database. I could not find any reference to TP.
[RotP]Ran Airen wrote: »I am not an expert on such matters but I would assume that the TOS allows STT to share data with whatever third parties it chooses to do business with. Maybe I am wrong but I don't think they need to give us the option of which ones we want to choose.
Now, this I found intriguing. Mainly because I have been playing this game longer than the GDPR has been in effect. Generally speaking, their TOS do not override current law. As stated above, data collection needs to be lawful. The easiest solution to ensure this is asking for a user's informed consent. Now. DB's TOS detail which information they gather, and for what purposes they might pass on information to third parties. IronSource claims to collect their own data, though use of their SDK (i.e. the Offer Wall). Which is something the TOS to not cover, as far as I can tell. I still think this is problematic, because (again, opinion)...:
- There is no contract, and no lawful grounds for TP's advertising partner to collect an individual user's data. Unless TP collects this data anyway, and only passes it on to their partner, in a contractual framework. I don't think this is accurate, as the ad plugin seems to collect data on its own. If it were accurate, TP and their partner would most likely be jointly responsible (Art. 26) for what is happening to these information.
- The party collecting the data and passing it on (under whichever premise), is responsible for ensuring that their contractors are processing their data lawfully as well. "We didn't know" is not an excuse that would hold up in a court.
- Any information a player has willingly given up (e.g. by filling in a survey with their actual data) is not a data protection issue, as far as DB/TP are concerned. Even though a good faith argument could be made, as DB/TP is indirectly linking to these predatory services.
I have seen several qualified posters in the other threads, and I would encourage them to chime in as well, as this could turn into an FAQ of sorts.
28
Comments
I'm just wondering what sort of personalized data we're actually talking about here.
Our email address (and possibly password)? Our Facebook account and password for those who log in with their Fb credentials? All information related to purchases? Or just whatever it is we do in game?
The app has no authorization to access anything else on the phone, so I guess it should be limited to our interactions with the app itself.
(This is assuming that a player doesn't use the wall, as I don't plan to use it).
DB has laid out what kind of data they are collecting from users in their privacy policy. These are information they receive from the platform provider, i.e. Facebook, Apple, Google (wherever you play their game):
On top of that, they collect on their own:
They also lay out examples for services they use, that they might share your data with: "packaging, mailing and delivering purchases, answering customer questions about products or services, sending postal mail, providing billing and collection services, conducting customer surveys, and processing event registration". Of course, they reserve the right to amend the list as they see fit.
TL;DR:
Do they collect the password to your Facebook account? Most likely not (but if your Facebook ID and DBID use the same e-mail, you should under no circumstances use the same password for both).
Purchase information (I assume you mean payment details)? Probably not, as long as you are using Apple as a platform.
A lot of other things on your profile, your usage of the app? Possibly.
Does the Wall collect data on top of that, even if you don't use it? Debatable, but very likely.
That is actually a little fuzzy as well. There is a passage in their PP, that in case of a merger/purchase, etc., our data can be passed on to their successor/buyer, etc., for the purposes detailed in the PP. So on paper, TP may do nothing else with that data that DB was not able to do as well.
However, as pointed out by me and by someone else in the other thread earlier, TP currently does not subscribe to the US-EU Privacy Shield, which in my opinion puts them in a grey area.
I was with you, up until this point. If a player is consciously filling out a survey, then any data knowingly given is a consenting transaction between two parties. If you are talking strictly about data which is collected without the player's knowledge, then you could make a good faith argument against TP for doing business with IronWhatever.
I don't really follow, I think we are on the same page. I was talking about the data willingly given up, which was the subject of a lot of posts in the other thread addressing privacy issues. You might have missed the tiny "not" in my paragraph?
I was referring to the "good faith argument" bit.
Well, yes and no. The automatic collection without consent is, in my view, plain illegal, at least in the EU. No need to limit this to good faith.
TP is currently linking to predatory websites, through their advertising partner. Users are paid TP's in-game currency as reward for giving up their data on those websites. At first glance, there seems to be a direct link between the two parties. Of course, in their TOS TP rejects all liability for third party services, and of course those websites collect something that could be construed as a separate agreement. But one should not have to read legalistic fine print in order to find that out, if all the obvious signs point to the opposite. Again, I'm not a lawyer, so I might be totally on the wrong track here.
I'm not a lawyer, but I think you are on the wrong track. What TP collects is TP's responsibility. They need to follow their own TOS and comply with all legal requirements where they operate. What TP shares with 3rd parties also falls under that. However, if you go accept one of the offers and then agree to whatever TOS that 3rd party has, your issue is with that 3rd party not TP. If that 3rd party is in violation of local laws, it's the 3rd parties responsibility to fix it.
TL/DR: If TP shared player information with ironSource outside of what is allowed by the TOS or local laws, TP is in trouble. If you agree to any ironSource offers, then you accepted the survey/apps privacy policy and the only question is if those policies violate local laws.
I'm also not a lawyer. And I agree that collecting without knowledge is immoral everywhere and illegal in some countries. But when you tap the offer wall button, then you are taken out of the game to a screen that looks nothing like the game. In my opinion, anything that happens past that point is a transaction between two consenting parties. Either you are willing to do things for dilithium or you are not. I personally do not plan to. But I don't want to stop anyone who is willing. That's just not my style.
I’m of the position that there is nobody else playing this game I care for so little that I would want them to be at risk of identity theft, which is a very real possibility given the quality of the offers on the wall. Consent is important, but informed consent is far more important. And right now, I don’t think that’s even possible until we learn more about how our data is being used.
I don't entirely disagree. But at the same time, if VIP0 wants to score some dilithium for taking a survey or playing a few levels of another game, then I think it's a bit elitist to tell them that they can't do that. I'll post "buyer beware" anywhere and everywhere that I can. But at the end of the day, what people choose to do is on them. Which is to say that if there is no choice then I have a huge problem.
If the threat to our data only existed inside the wall, I would agree with you a lot more than I do under the current circumstances.
Yep. I kind of think there's a lot riding on that answer.
Agreed. And with the answer to that question being the easiest to provide/confirm/deny by the devs, each second that goes by without getting that answer makes me more inclined to believe that the devs don’t want to freak everyone out with the truth.
Here is the update I can make at this time.
We understand your concerns and we are continuing to work closely with our Privacy Team to provide you with an overview that will address those concerns.
What I can tell you so far is that, regarding consent for ads/Offer Wall, we’ve always erred on the side of caution. This means that our game considers that consent is not given, and that no personal information is being shared.
There will be more details added in the overview that we will provide next week.
I will be x-posting this in the other thread as well.
Again, thank you for your patience.
Based on the information from Ironsource's own website (as shared most recently by Captain Womble on the other thread) that statement appears to be factually inaccurate, or at least woefully incomplete. If this is genuinely TP's view of the situation then it appears that those in charge don't really understand how their new partners operate.
This was the update I could make at the time.
This is still under review by our Privacy Team, and a more complete update will be forthcoming.
I do not have an ETA. I will continue to keep you updated, when I can.
Shan,
Sorry, I'm really thrown by this.
Am I entirely mis-reading this or are you suggesting that you were speaking in a personal capacity and not as a representative of the game/company?
If so, can you tell us how we can tell the difference in your posts please? I think that's a really important distinction to be honest.
Thanks
I understand what you mean, and this is delicate for me as well as I am trying to keep the dialog open and provide some reassurance. This update was done based on my position in the studio, and what I knew of the situation at the time.
A more complete review/response will be provided by the Privacy Team, and will be clearly labeled as such.
So if new information became available that contradicted the original statement, I'm pretty sure Shan would let us know.
It’ll also include in-game chat where comments can be individually attributed in case laws are broken.
I would be shocked if they share anything related to in game chat. That's not something that an integration API would have any access to without setting it up specifically, and I doubt TP would do that.
Purchase Information would not mean payment details, it means how often you're purchasing and how much you're spending. I would expect that kind of data is being shared and is already disclosed as being shared for other ad partners.
I get where you are coming from and I do appreciate that you are treading a balance here but I really don't think that it is fair to us as players/customers to be given some fairly definitive information to later find out it is your opinion on it rather than a fully informed answer.
I don't mean any disrespect or to cause you any issues but I would ask you to reconsider any statements like that or to make them clearer if you are just speaking to your understanding rather than the specifics.
Thanks
I absolutely see where you are coming from, and I for one appreciate your level-headed hands off approach.
However, like I'm sure every iOS tablet user playing this game, I had to download an update to the Star Trek Timelines app prior to ever engaging with the Free Dilithium offers wall.
For me, it is not just a question of not interacting with a fairly annoying and tedious interface to acquire access to a pittance of resources. I have no choice but to interact with a now updated app through which a potentially unscrupulous third party may have access to my device.
This sets off legitimate alarms for the security of data on my home network - and in lockdown - my remote access to my work.
Every delay in TP issuing some reassurance that my device, my home network and my work data are 'safe' and the app hasn't jeopardised that safety is another addition to that concern.
Please TP - get back to us on this matter formally, before things necessarily become nastier.
This post exemplifies respect. I will try my best to emulate you, @Daev , because you just turned on a light for me. I sincerely thank you. 🖖