Concern 1:
Our Google/Apple Advertising Identifiers also constitute personal information under GDPR Art. 4.1. The ironSource SDK has to be initialized with this advertising ID on the Apple Store/Google Play platforms and it has to be done before displaying the Offerwall. In other words, it seems to me there is a distinct possibility that TP is passing on personal information to ironSource via their SDK, without consent, even if the user does not click on the "Free Dilithium" button. The game would otherwise be in violation of Apple/Google policy and risk being pulled out from their respective app stores. I intend to request a clarification on this matter and if the answer is not satisfactory or the inquiry goes unanswered for 30 days, I will be filing a GDPR violation complaint with my local Data Protection Authority.
Concern 2:
Under GDPR and CCPA, we can make requests to retrieve the data stored by TP and ironSource or have it deleted. ironSource provides information on how to do this and they also mention they can retrieve 2 data sets which will respectively contain entries with the following data fields:
Needless to say, this kind of data collection should be of major concern to everyone not just to those in the European Economic Area or California. The Tel Aviv-based ironSource boasted about reaching 800 million users each month back in 2018 which feed into their AURA enterprise solutions with all the data intelligence you can possibly imagine.
Some mentions:
What TP had just done here would be outright illegal even in the US under the COPPA act if kids were playing this game. The FTC has just fined a game developer that was collecting data without consent, not directly, but via 3rd party ad networks including our beloved ironSource. The FTC: "app makers can and will be held liable for the data collection practices of third-party ad networks, even if the app itself isn’t storing kids’ personal data on its own servers". Luckily, STT is not played by kids as TP's privacy policy specifically mentions ages 13+ to be in compliance with COPPA. TP's customers aren't kids so their privacy be damned.
It is a best practice in the European Economic Area to ask for new consent whenever a new ad network is added to an app to avoid any gray area under GDPR, regardless of ads being personalized or not. ironSource is a bit more in this case as it is classified as a data processor under GDPR and we've seen above what kind of data it potentially stores and processes, yet TP has not asked for our consent.
Conclusion:
I am far from a GDPR expert and even farther from being a privacy and data protection lawyer. But this entire thing is just a whole can of worms that looks extremely shady because of consumer privacy concerns, because it is on the edge of legality and frankly, it might not actually be legal in many jurisdictions. Data protection laws are relatively new, GDPR is extremely new, Data Protection Agencies in the EU are in their infancy and enforcement is somewhat limited, but this whole shady business might just crumble down eventually. For TP to throw us into this mud is just unpardonable.
It's taking way to long to get the answers to key questions. Questions that the answers should have been onhand BEFORE the Offer Wall was added. Are people's identities at risk of being stolen? Are people at risk of being financially exploited?
"The truth is like a lion; you don't have to defend it. Let it loose; it will defend itself."
Sadly in the United States there is very weak internet privacy laws. I assume everything done on the internet is being collected and sold by multiple internet companies. The best way to make changes is to vote for politicians that promise to do something about strengthening privacy laws and then hold those politicians to their promises. That is the only way things will change.
Yep. "Mobile" Gaming Industry needs some serious regulations.
It's taking way to long to get the answers to key questions. Questions that the answers should have been onhand BEFORE the Offer Wall was added. Are people's identities at risk of being stolen? Are people at risk of being financially exploited?
If you don't do a survey, no. TP doesn't even have the data to steal your identity unless you're using your STT password on banking sites.
It's taking way to long to get the answers to key questions. Questions that the answers should have been onhand BEFORE the Offer Wall was added. Are people's identities at risk of being stolen? Are people at risk of being financially exploited?
If you don't do a survey, no. TP doesn't even have the data to steal your identity unless you're using your STT password on banking sites.
Correction: if you don't do a survey, quite possibly yes. That's according to Ironsource, and they seem very proud of the fact that they can get this information from people without their consent.
And there's a lot more to identity and data theft than bank details.
And there's a lot more to identity and data theft than bank details.
Fun fact: the easiest way to "hack" something isn't even computer based. It's "social engineering" which is just a fancy way of saying "conning people." One of the easiest ways to do that is having enough information about someone to sound knowledgeable, and the acting chops to sound like you're important and/or you know what you're talking about.
Think about stuff you throw away. Mail with your address on it - someone now knows where you shop online, or maybe political affiliations, or .... Doctor's bill - they know at least *some* details about your health, maybe even just who you see. Receipts - what you've bought, when you bought it, how much you paid. Shopping habits, personal tastes, financial insight. Someone spends 5 minutes digging in your trash can before the garbage truck comes and they know more about you than a lot of people - even if it's just a rough idea.
Now I have no idea how this information could *actually* be used, but I can definitely picture someone calling using it to say they know me - maybe they're pretending to be my wife, or a kid or brother or whatever - and either getting *more* info that would be more useful or really screwing up my day. Maybe they use my name and address on a loan they know no algorithm would flag because it fits my financial status. Use my info to get a mobile line and bail on it. Whatever.
Now if that person could get into my phone, all those little bits of garbage they happen to catch have a much different layer to them. Now maybe they have the different apps I use, maybe the IP addresses my phone accesses. Phone model, OS version, carrier - that's all super basic stuff to get access to, and that's more stuff to add into whatever profile they're building.
Most likely this company would just use it to serve me "appropriate" ads, I really doubt they're going to try to blackmail me by telling my boss how much time I spend on my game. But maybe they're going to sell it to some other ad company. Or well shoot! We just happened to get hacked and now there's no telling where that info ended up! Now some script kiddie has information I didn't give anyone any authorization to have, and maybe *they* think my boss would like to know what I'm really doing during some presentation. No passwords or account numbers need to be stolen.
Yeah, it's all a bit of a stretch, and I'd like to think I'm too small a fish for someone to waste the effort on, but the beauty of computers is that someone can catch enough small fish in a short amount of time that they can eat pretty damned well for a while.
It's taking way to long to get the answers to key questions. Questions that the answers should have been onhand BEFORE the Offer Wall was added. Are people's identities at risk of being stolen? Are people at risk of being financially exploited?
If you don't do a survey, no. TP doesn't even have the data to steal your identity unless you're using your STT password on banking sites.
My ingame purchases go through the Google Play/Google Pay thingie. I hope that means that STT/DB/WRG/TP/WTWBCNW doesn't even know the last four of my card number. I hope.....
The problem is that the Offer Wall company brags about data mining people. Even if they do not open the Offer Wall. That is what concerns people.........
"The truth is like a lion; you don't have to defend it. Let it loose; it will defend itself."
It's taking way to long to get the answers to key questions. Questions that the answers should have been onhand BEFORE the Offer Wall was added. Are people's identities at risk of being stolen? Are people at risk of being financially exploited?
If you don't do a survey, no. TP doesn't even have the data to steal your identity unless you're using your STT password on banking sites.
My ingame purchases go through the Google Play/Google Pay thingie. I hope that means that STT/DB/WRG/TP/WTWBCNW doesn't even know the last four of my card number. I hope.....
The problem is that the Offer Wall company brags about data mining people. Even if they do not open the Offer Wall. That is what concerns people.........
Of course, but that's my point. What are they data mining? They can find out about your device. They have an advertising ID to correlate against other networks, TP could be giving them a history of your previous purchases. But no one has your SSN, your credit card, your physical address, or similar information. Data mining is about correlating information to make predictions about you to generate more compelling offers. It doesn't generate your SSN out of thin air.
Disclaimer:
1. I am not a lawyer and as such this post does not constitute legal advice.
2. Information source is a UK government site and is relevant to me as a UK resident - may or may not be the same for you
3. Interpretation is mine, applies to me by my logic - it may or may not fit your specific case. End Disclaimer
My Understanding:
1. TP/WRG is the controller and processor with whom I have an agreement (i.e. TOS to play their game)
2. In playing this game any data collected & processed by TP/WRG or its partners is the responsibility of TP/WRG, even that which is passed to or collected by any third party they further engage with.
3. I have a right under UK law to request details on what data is collected and how it is used
4. TP has 30 days from the receipt of such request to to respond with information
Most Importantly, I have the legal right to:
1. Be informed if my personal data is being used
2. Get my data deleted
3. Limit how the Organisation uses my data
4. To Object to the use of my data
5. Raise a concern about how my data is being used
My Issues / Questions :
1. I appreciate Legal team needs time - but an official "damage control or holding" response could & should have been made by now.
Again, here I will say, @Shan's work is much appreciated, but she has made it clear, her response is to keep dialogue open & continuing and is not the legal update from the organisation
2. Surely when TP / WRG entered into a legal & commercial engagement with IronSource, there would have been some due diligence and they should already have the information to hand
If this is not the case, then we should all be really worried, as TP has the ability to gain access to a lot of information from your mobile devices and if they are not clear on the fact that they are a data controller and now also a processor.......
3. I would like to know exactly what information IronSource is able to collect and is collecting from my device if I do not use the wall
4. I would like to know exactly what information IronSource is able to collect and is collecting from my device if I use the wall
5. I would like to know what TP/WRG & IronSource are doing with my data and to whom else they are providing it.
What I will be doing:
1. Raising an official GDPR ticket, with some very specific questions. I would encourage you to do the same if this applies to you
2. Based on the answers to #3, 4, & 5 above I will send an official request to delete my data
Edits:
- Spelling corrections - thank you @Bylo Band for pointing these out!
- Raised GDPR based ticket on 1st July 2020
What I will be doing:
1. Raising an official GDPR ticket, with some very specific questions. I would encourage you to do the same if this applies to you
- Raised GDPR based ticket on 1st July 2020
I did this last week (25th). The first response was demonstrably incorrect and when I pointed this out, I was replied to by ' Player Support Leads' who is looking into it. I'm still waiting - I'm sure they know there's a pretty strict timeline set out in the legislation. Been updating (and will continue to do so) in the other thread.
I did this last week (25th). The first response was demonstrably incorrect and when I pointed this out, I was replied to by ' Player Support Leads' who is looking into it. I'm still waiting - I'm sure they know there's a pretty strict timeline set out in the legislation. Been updating (and will continue to do so) in the other thread.
I Have no intention of hijacking the thread, apologies if it seemed that way - was only trying keep it on track, add my thoughts and add more information
BTW - I clicked on the wall, closed it and clicked on the more information button in the DIL store, my broadband provider blocked the page as it known to be malware host and phishing site.......
I Have no intention of hijacking the thread, apologies if it seemed that way - was only trying keep it on track, add my thoughts and add more information
BTW - I clicked on the wall, closed it and clicked on the more information button in the DIL store, my broadband provider blocked the page as it known to be malware host and phishing site.......
BTW - I clicked on the wall, closed it and clicked on the more information button in the DIL store, my broadband provider blocked the page as it known to be malware host and phishing site.......
While zendesk is obviously a legitimate site, routing the traffic through a 3rd party may not have been the best move. It seems that bit.do is on several blacklists because of it association with some nefarious characters. It is not surprising that some folks may see malware warnings with this link.
It would probably have been better to use your own server for the redirection rather than a 3rd party service. Many of the url shortening services seem to be marked as malware.
And no offense intended, but it was a rather simple google to learn this. It does show a lack of due diligence on the part of DB/TP/WRG.
While zendesk is obviously a legitimate site, routing the traffic through a 3rd party may not have been the best move. It seems that bit.do is on several blacklists because of it association with some nefarious characters. It is not surprising that some folks may see malware warnings with this link.
It would probably have been better to use your own server for the redirection rather than a 3rd party service. Many of the url shortening services seem to be marked as malware.
And no offense intended, but it was a rather simple google to learn this. It does show a lack of due diligence on the part of DB/TP/WRG.
(First time forum user here, and I wish this wasn't the issue that had prompted me to finally get on here. I've been playing the game for just under a year and up until this week enjoying it and the community a great deal. And even though I'm a first time user, I've been lurking here for most of the time I've been playing, and I do just want to say that none of this is directed at you, @Shan !)
I sent a ticket to CS last week expressing my concerns around all this, and got back a not-very-helpful answer pointing me to the TOS (which wasn't the same as the one linked within the Google Play Store at that time, but that's by the by, really). I replied with some more pointed GDPR-related questions, and have not yet received a further response. Amongst my still unanswered questions, I asked at what point my explicit opt-in consent had been gained for data sharing with IronSource, as my (non-expert) understanding is that that's a requirement under GDPR.
As I wait for a reply from CS, though, I am getting more and more worried that the argument is going to be that by manually updating to 7.5.3 I had somehow given such consent, even though at no point in the update process was any variation to the terms made clear. What's particularly worrying to me is that I don't think I have ever had to manually update the game before; as far as I can remember, it has always done it automatically without any intervention needed on my part, usually long before I started to see some players saying that they were getting frustrated about not being on the new version yet. I've also seen a lot of other discussions - including here on the forums - that people who aren't used to having to manually update are having to do so on this occasion, which makes me wonder.
And here's where I get to the point that, if I'm right in my suspicions, is likely to drive me away from the game permanently (as others have, I've already stopped spending and watching ads). Because the reason I updated manually was to make sure that I had the Homesteader Janeway achievements. I would hate to think that the new card I was excited for (having voted for her in the survey) was really a Trojan horse to get us to unwittingly "agree" (and under GDPR it has to be informed consent) to our data being shared with such an obviously disreputable outfit as IronSource. (I've been doing some research and reading their own blog posts about how their software works they come across to me as boasting about shady practices like tricking people into playing other games with ads that don't in fact reflect the real gameplay, let alone any of the things they are accused of doing but would be foolish in the extreme to admit to in public.)
To be honest, I would love to hear in response to this that other people who are in jurisdictions with strong data protection regulations (I'm thinking of EU/UK/CA but there may be others) did get an automatic update (or that it turns out I've misremembered and we all had to manually update for the McCoy achievements earlier in the year), in which case I will very happily say that my tinfoil hat is currently wedged on too tight and I can wait to see what the official response is when it comes (either as an announcement or to my CS ticket) before deciding what my next steps are. But the fact that I'm even entertaining thoughts like these is a sign of the corrosion of trust that the ongoing silence from TP on this very important issue is causing.
My app updated automatically so there is definitely not a requirement for this particular version to be updated manually. So if CS try telling you that updating is some kind of implicit consent, that's nonsense. It's also completely invalid from a legal standpoint.
FWIW, I've since downgraded back to 7.5.2 and the Homesteader Janeway achievements are still there. I've claimed two of them since then. So if you roll back your installation you won't miss out on anything (except possibly some spam, phishing emails etc).
I am getting more and more worried that the argument is going to be that by manually updating to 7.5.3 I had somehow given such consent, even though at no point in the update process was any variation to the terms made clear
Installation, use and update of the game on iOS are still governed by agreements with Distributor Beam including both the license agreement and privacy policy. So there's clearly been no formal transfer that any of us players (again on iOS) have agreed to. All our agreements are with another company. This is something that I am VERY much looking forward to finding out more about through my outstanding GDPR request.
Offerwall update was just pushed on Amazon Appstore where it says the game is for "all ages". TP is just inviting complaints with the FTC and DPAs if not a lawsuit.
Hilarious. Star Trek isn't for Kids anymore. Not since Discovery Season 1. I wouldn't let my kids play this game. It needs to have a rating of M. Also Kids shouldn't be gambling IMO.
sad to say i hope they are sued.....might make them see that the offer wall was a mistake.....assuming a lawsuit doesn't break em....in which case Arc Games had best get on undeleting my STO characters so i can ditch Timelines if need be
I have started receiving alot of push notifications on my mobile where I use to have none. I have never clicked further than the first page of this Offerwall to see what was on offer. My spending had already stopped along with others. I am afraid that unless I get some kind of confirmation from the developers that our data is safe, I will be uninstalling
I am getting more and more worried that the argument is going to be that by manually updating to 7.5.3 I had somehow given such consent, even though at no point in the update process was any variation to the terms made clear
Installation, use and update of the game on iOS are still governed by agreements with Distributor Beam including both the license agreement and privacy policy. So there's clearly been no formal transfer that any of us players (again on iOS) have agreed to. All our agreements are with another company. This is something that I am VERY much looking forward to finding out more about through my outstanding GDPR request.
From my understanding, with their purchase of DB, TP acquired all the collected user data, but also inherited any agreements made with the users. At least this is what DB has been hinting at in their privacy policy. This is a question for the lawyers, but I would assume is a pretty standard procedure. However...
I sent a ticket to CS last week expressing my concerns around all this, and got back a not-very-helpful answer pointing me to the TOS (which wasn't the same as the one linked within the Google Play Store at that time, but that's by the by, really). I replied with some more pointed GDPR-related questions, and have not yet received a further response. Amongst my still unanswered questions, I asked at what point my explicit opt-in consent had been gained for data sharing with IronSource, as my (non-expert) understanding is that that's a requirement under GDPR.
As I stated earlier, I started playing this game before GDPR was fully in effect. I don't remember giving GDPR-compliant consent to any usage of my data. You are correct in pointing out that this consent needs to be informed (what data is being collected, to what end, with whom will it be shared, how long will it be stored, etc.), and opt-in, meaning that at some point you will have to actively click a "yes"-button, check a previously unchecked "I agree" checkbox, or similar. Opt-out (e.g. "you agree automatically by using our services" or "if you don't agree, do xyz") are not GDPR-compliant. There are use cases for carrying over previously obtained consents, but this is a huge grey area - basically any previous consents would have needed to be compliant with any of the user's national laws governing data protection beforehand.
Now, a lot of the data DB/TP is collecting is being transferred to them by the service provider (Apple, Google...), with whom users with almost certainty have valid agreements. This consent could probably be extended to third (fourth) parties, who also access the data the SP is collecting, although I find that already very shady in the spirit of data protection.
None of this applies to IronSource collecting their own data, from users who are not actively using their service. This is the issue here, and I find it absolutely unacceptable that this has still not been addressed by TP at this point. Not only for our sakes, in my opinion they are making themselves extremely vulnerable to legal action from the EU. This issue could very well cost them their business, so I would have expected them to a) have issued a statement long ago, if they had foreseen any issues/backlash with their partnership, or b) pulled the update long ago, if they are just now waking up to the possibility that this might have been a huge mistake. Doing nothing is the worst of all worlds.
I have started receiving alot of push notifications on my mobile where I use to have none. I have never clicked further than the first page of this Offerwall to see what was on offer. My spending had already stopped along with others. I am afraid that unless I get some kind of confirmation from the developers that our data is safe, I will be uninstalling
i'll be sad to see you go but i understand your reasons atleast
I have started receiving alot of push notifications on my mobile where I use to have none. I have never clicked further than the first page of this Offerwall to see what was on offer. My spending had already stopped along with others. I am afraid that unless I get some kind of confirmation from the developers that our data is safe, I will be uninstalling
Just to clarify. I meant Push Advertisements not Notifications. Notifications would be useful, unfortunately I never seem to receive notification that my shuttles are back etc.
I am getting advertisements for things I already own or services I already use. 😳
We understand your concerns and we are continuing to work closely with our Privacy Team to provide you with an overview that will address those concerns.
What I can tell you so far is that, regarding consent for ads/Offer Wall, we’ve always erred on the side of caution. This means that our game considers that consent is not given, and that no personal information is being shared.
There will be more details added in the overview that we will provide next week.
I will be x-posting this in the other thread as well.
Again, thank you for your patience.
Hi Shan.
Could I please ask you to now expand or clarify this post of yours?
The update you have posted here today states that personal information (e.g. my DBID and my advertising ID which are emphatically personal information under EU law) is being collected and shared, despite your statement that the game considers consent is not given.
For me it really exacerbates some of my concerns. Right now, I really do not believe that TP/WRG actually understand what personal data is or what consent actually means.
Thanks.
(Sorry, I know it probably feels like I'm having a go at you and I'm really not trying to do that but I am extremely concerned that such seemingly inaccurate information was put out in a post flagged as an admin post at a time when the community was really looking for further information and reassurance.)
We understand your concerns and we are continuing to work closely with our Privacy Team to provide you with an overview that will address those concerns.
What I can tell you so far is that, regarding consent for ads/Offer Wall, we’ve always erred on the side of caution. This means that our game considers that consent is not given, and that no personal information is being shared.
There will be more details added in the overview that we will provide next week.
I will be x-posting this in the other thread as well.
Again, thank you for your patience.
Hi Shan.
Could I please ask you to now expand or clarify this post of yours?
The update you have posted here today states that personal information (e.g. my DBID and my advertising ID which are emphatically personal information under EU law) is being collected and shared, despite your statement that the game considers consent is not given.
For me it really exacerbates some of my concerns. Right now, I really do not believe that TP/WRG actually understand what personal data is or what consent actually means.
Thanks.
(Sorry, I know it probably feels like I'm having a go at you and I'm really not trying to do that but I am extremely concerned that such seemingly inaccurate information was put out in a post flagged as an admin post at a time when the community was really looking for further information and reassurance.)
So, basically, when the new " Agree" Pop Up happens, we have to accept whatever TP & IronSource want to take as far as our data and whatnot, and whatever they choose 5o do with it? Or we just won't be allowed to play? When many people have invested not only our trust, but also thousands of dollars into game?!?!?
Also, why does the company need to know our battery status?!?!? Just out of curiosity.....
"The truth is like a lion; you don't have to defend it. Let it loose; it will defend itself."
We understand your concerns and we are continuing to work closely with our Privacy Team to provide you with an overview that will address those concerns.
What I can tell you so far is that, regarding consent for ads/Offer Wall, we’ve always erred on the side of caution. This means that our game considers that consent is not given, and that no personal information is being shared.
There will be more details added in the overview that we will provide next week.
I will be x-posting this in the other thread as well.
Again, thank you for your patience.
Hi Shan.
Could I please ask you to now expand or clarify this post of yours?
The update you have posted here today states that personal information (e.g. my DBID and my advertising ID which are emphatically personal information under EU law) is being collected and shared, despite your statement that the game considers consent is not given.
For me it really exacerbates some of my concerns. Right now, I really do not believe that TP/WRG actually understand what personal data is or what consent actually means.
Thanks.
(Sorry, I know it probably feels like I'm having a go at you and I'm really not trying to do that but I am extremely concerned that such seemingly inaccurate information was put out in a post flagged as an admin post at a time when the community was really looking for further information and reassurance.)
So, basically, when the new " Agree" Pop Up happens, we have to accept whatever TP & IronSource want to take as far as our data and whatnot, and whatever they choose 5o do with it? Or we just won't be allowed to play? When many people have invested not only our trust, but also thousands of dollars into game?!?!?
Also, why does the company need to know our battery status?!?!? Just out of curiosity.....
I've been curious about the battery status since I read it on ironSource's website. The only thing I can figure is the ad system is designed to scale down with your battery. If a 30 second ad would be too much, then you get a 20 second ad instead, that kind of thing. I don't understand why none of the text in either ironSource's site or TP's new TOS just says so if that is the reason.
Comments
Our Google/Apple Advertising Identifiers also constitute personal information under GDPR Art. 4.1. The ironSource SDK has to be initialized with this advertising ID on the Apple Store/Google Play platforms and it has to be done before displaying the Offerwall. In other words, it seems to me there is a distinct possibility that TP is passing on personal information to ironSource via their SDK, without consent, even if the user does not click on the "Free Dilithium" button. The game would otherwise be in violation of Apple/Google policy and risk being pulled out from their respective app stores. I intend to request a clarification on this matter and if the answer is not satisfactory or the inquiry goes unanswered for 30 days, I will be filing a GDPR violation complaint with my local Data Protection Authority.
Concern 2:
Under GDPR and CCPA, we can make requests to retrieve the data stored by TP and ironSource or have it deleted. ironSource provides information on how to do this and they also mention they can retrieve 2 data sets which will respectively contain entries with the following data fields:
and
Needless to say, this kind of data collection should be of major concern to everyone not just to those in the European Economic Area or California. The Tel Aviv-based ironSource boasted about reaching 800 million users each month back in 2018 which feed into their AURA enterprise solutions with all the data intelligence you can possibly imagine.
Some mentions:
Conclusion:
I am far from a GDPR expert and even farther from being a privacy and data protection lawyer. But this entire thing is just a whole can of worms that looks extremely shady because of consumer privacy concerns, because it is on the edge of legality and frankly, it might not actually be legal in many jurisdictions. Data protection laws are relatively new, GDPR is extremely new, Data Protection Agencies in the EU are in their infancy and enforcement is somewhat limited, but this whole shady business might just crumble down eventually. For TP to throw us into this mud is just unpardonable.
Yep. "Mobile" Gaming Industry needs some serious regulations.
They are. Great Post BTW.
If you don't do a survey, no. TP doesn't even have the data to steal your identity unless you're using your STT password on banking sites.
Correction: if you don't do a survey, quite possibly yes. That's according to Ironsource, and they seem very proud of the fact that they can get this information from people without their consent.
And there's a lot more to identity and data theft than bank details.
Fun fact: the easiest way to "hack" something isn't even computer based. It's "social engineering" which is just a fancy way of saying "conning people." One of the easiest ways to do that is having enough information about someone to sound knowledgeable, and the acting chops to sound like you're important and/or you know what you're talking about.
Think about stuff you throw away. Mail with your address on it - someone now knows where you shop online, or maybe political affiliations, or .... Doctor's bill - they know at least *some* details about your health, maybe even just who you see. Receipts - what you've bought, when you bought it, how much you paid. Shopping habits, personal tastes, financial insight. Someone spends 5 minutes digging in your trash can before the garbage truck comes and they know more about you than a lot of people - even if it's just a rough idea.
Now I have no idea how this information could *actually* be used, but I can definitely picture someone calling using it to say they know me - maybe they're pretending to be my wife, or a kid or brother or whatever - and either getting *more* info that would be more useful or really screwing up my day. Maybe they use my name and address on a loan they know no algorithm would flag because it fits my financial status. Use my info to get a mobile line and bail on it. Whatever.
Now if that person could get into my phone, all those little bits of garbage they happen to catch have a much different layer to them. Now maybe they have the different apps I use, maybe the IP addresses my phone accesses. Phone model, OS version, carrier - that's all super basic stuff to get access to, and that's more stuff to add into whatever profile they're building.
Most likely this company would just use it to serve me "appropriate" ads, I really doubt they're going to try to blackmail me by telling my boss how much time I spend on my game. But maybe they're going to sell it to some other ad company. Or well shoot! We just happened to get hacked and now there's no telling where that info ended up! Now some script kiddie has information I didn't give anyone any authorization to have, and maybe *they* think my boss would like to know what I'm really doing during some presentation. No passwords or account numbers need to be stolen.
Yeah, it's all a bit of a stretch, and I'd like to think I'm too small a fish for someone to waste the effort on, but the beauty of computers is that someone can catch enough small fish in a short amount of time that they can eat pretty damned well for a while.
My ingame purchases go through the Google Play/Google Pay thingie. I hope that means that STT/DB/WRG/TP/WTWBCNW doesn't even know the last four of my card number. I hope.....
The problem is that the Offer Wall company brags about data mining people. Even if they do not open the Offer Wall. That is what concerns people.........
Of course, but that's my point. What are they data mining? They can find out about your device. They have an advertising ID to correlate against other networks, TP could be giving them a history of your previous purchases. But no one has your SSN, your credit card, your physical address, or similar information. Data mining is about correlating information to make predictions about you to generate more compelling offers. It doesn't generate your SSN out of thin air.
1. I am not a lawyer and as such this post does not constitute legal advice.
2. Information source is a UK government site and is relevant to me as a UK resident - may or may not be the same for you
3. Interpretation is mine, applies to me by my logic - it may or may not fit your specific case.
End Disclaimer
Information Source:
1. https://ico.org.uk/your-data-matters/
2. https://ico.org.uk/for-organisations/guide-to-data-protection/
My Understanding:
1. TP/WRG is the controller and processor with whom I have an agreement (i.e. TOS to play their game)
2. In playing this game any data collected & processed by TP/WRG or its partners is the responsibility of TP/WRG, even that which is passed to or collected by any third party they further engage with.
3. I have a right under UK law to request details on what data is collected and how it is used
4. TP has 30 days from the receipt of such request to to respond with information
Most Importantly, I have the legal right to:
1. Be informed if my personal data is being used
2. Get my data deleted
3. Limit how the Organisation uses my data
4. To Object to the use of my data
5. Raise a concern about how my data is being used
My Issues / Questions :
1. I appreciate Legal team needs time - but an official "damage control or holding" response could & should have been made by now.
Again, here I will say, @Shan's work is much appreciated, but she has made it clear, her response is to keep dialogue open & continuing and is not the legal update from the organisation
2. Surely when TP / WRG entered into a legal & commercial engagement with IronSource, there would have been some due diligence and they should already have the information to hand
If this is not the case, then we should all be really worried, as TP has the ability to gain access to a lot of information from your mobile devices and if they are not clear on the fact that they are a data controller and now also a processor.......
3. I would like to know exactly what information IronSource is able to collect and is collecting from my device if I do not use the wall
4. I would like to know exactly what information IronSource is able to collect and is collecting from my device if I use the wall
5. I would like to know what TP/WRG & IronSource are doing with my data and to whom else they are providing it.
What I will be doing:
1. Raising an official GDPR ticket, with some very specific questions. I would encourage you to do the same if this applies to you
2. Based on the answers to #3, 4, & 5 above I will send an official request to delete my data
Edits:
- Spelling corrections - thank you @Bylo Band for pointing these out!
- Raised GDPR based ticket on 1st July 2020
I did this last week (25th). The first response was demonstrably incorrect and when I pointed this out, I was replied to by ' Player Support Leads' who is looking into it. I'm still waiting - I'm sure they know there's a pretty strict timeline set out in the legislation. Been updating (and will continue to do so) in the other thread.
I Have no intention of hijacking the thread, apologies if it seemed that way - was only trying keep it on track, add my thoughts and add more information
BTW - I clicked on the wall, closed it and clicked on the more information button in the DIL store, my broadband provider blocked the page as it known to be malware host and phishing site.......
Not at all! Just a heads up
Chiming in on this part.
The url associated with the More Info button is: http://bit.do/sttofferwallhelp
It is a shortened url leading to: https://startrektimelines.zendesk.com/hc/en-us/articles/360050444413-Offer-Wall-FAQ
Thank you!
While zendesk is obviously a legitimate site, routing the traffic through a 3rd party may not have been the best move. It seems that bit.do is on several blacklists because of it association with some nefarious characters. It is not surprising that some folks may see malware warnings with this link.
https://www.urlvoid.com/scan/bit.do/
It would probably have been better to use your own server for the redirection rather than a 3rd party service. Many of the url shortening services seem to be marked as malware.
And no offense intended, but it was a rather simple google to learn this. It does show a lack of due diligence on the part of DB/TP/WRG.
This.
I sent a ticket to CS last week expressing my concerns around all this, and got back a not-very-helpful answer pointing me to the TOS (which wasn't the same as the one linked within the Google Play Store at that time, but that's by the by, really). I replied with some more pointed GDPR-related questions, and have not yet received a further response. Amongst my still unanswered questions, I asked at what point my explicit opt-in consent had been gained for data sharing with IronSource, as my (non-expert) understanding is that that's a requirement under GDPR.
As I wait for a reply from CS, though, I am getting more and more worried that the argument is going to be that by manually updating to 7.5.3 I had somehow given such consent, even though at no point in the update process was any variation to the terms made clear. What's particularly worrying to me is that I don't think I have ever had to manually update the game before; as far as I can remember, it has always done it automatically without any intervention needed on my part, usually long before I started to see some players saying that they were getting frustrated about not being on the new version yet. I've also seen a lot of other discussions - including here on the forums - that people who aren't used to having to manually update are having to do so on this occasion, which makes me wonder.
And here's where I get to the point that, if I'm right in my suspicions, is likely to drive me away from the game permanently (as others have, I've already stopped spending and watching ads). Because the reason I updated manually was to make sure that I had the Homesteader Janeway achievements. I would hate to think that the new card I was excited for (having voted for her in the survey) was really a Trojan horse to get us to unwittingly "agree" (and under GDPR it has to be informed consent) to our data being shared with such an obviously disreputable outfit as IronSource. (I've been doing some research and reading their own blog posts about how their software works they come across to me as boasting about shady practices like tricking people into playing other games with ads that don't in fact reflect the real gameplay, let alone any of the things they are accused of doing but would be foolish in the extreme to admit to in public.)
To be honest, I would love to hear in response to this that other people who are in jurisdictions with strong data protection regulations (I'm thinking of EU/UK/CA but there may be others) did get an automatic update (or that it turns out I've misremembered and we all had to manually update for the McCoy achievements earlier in the year), in which case I will very happily say that my tinfoil hat is currently wedged on too tight and I can wait to see what the official response is when it comes (either as an announcement or to my CS ticket) before deciding what my next steps are. But the fact that I'm even entertaining thoughts like these is a sign of the corrosion of trust that the ongoing silence from TP on this very important issue is causing.
FWIW, I've since downgraded back to 7.5.2 and the Homesteader Janeway achievements are still there. I've claimed two of them since then. So if you roll back your installation you won't miss out on anything (except possibly some spam, phishing emails etc).
Installation, use and update of the game on iOS are still governed by agreements with Distributor Beam including both the license agreement and privacy policy. So there's clearly been no formal transfer that any of us players (again on iOS) have agreed to. All our agreements are with another company. This is something that I am VERY much looking forward to finding out more about through my outstanding GDPR request.
Offerwall update was just pushed on Amazon Appstore where it says the game is for "all ages". TP is just inviting complaints with the FTC and DPAs if not a lawsuit.
Related: https://threatpost.com/ftc-childrens-app-developer-coppa-violations/156355/
Hilarious. Star Trek isn't for Kids anymore. Not since Discovery Season 1. I wouldn't let my kids play this game. It needs to have a rating of M. Also Kids shouldn't be gambling IMO.
From my understanding, with their purchase of DB, TP acquired all the collected user data, but also inherited any agreements made with the users. At least this is what DB has been hinting at in their privacy policy. This is a question for the lawyers, but I would assume is a pretty standard procedure. However...
As I stated earlier, I started playing this game before GDPR was fully in effect. I don't remember giving GDPR-compliant consent to any usage of my data. You are correct in pointing out that this consent needs to be informed (what data is being collected, to what end, with whom will it be shared, how long will it be stored, etc.), and opt-in, meaning that at some point you will have to actively click a "yes"-button, check a previously unchecked "I agree" checkbox, or similar. Opt-out (e.g. "you agree automatically by using our services" or "if you don't agree, do xyz") are not GDPR-compliant. There are use cases for carrying over previously obtained consents, but this is a huge grey area - basically any previous consents would have needed to be compliant with any of the user's national laws governing data protection beforehand.
Now, a lot of the data DB/TP is collecting is being transferred to them by the service provider (Apple, Google...), with whom users with almost certainty have valid agreements. This consent could probably be extended to third (fourth) parties, who also access the data the SP is collecting, although I find that already very shady in the spirit of data protection.
None of this applies to IronSource collecting their own data, from users who are not actively using their service. This is the issue here, and I find it absolutely unacceptable that this has still not been addressed by TP at this point. Not only for our sakes, in my opinion they are making themselves extremely vulnerable to legal action from the EU. This issue could very well cost them their business, so I would have expected them to a) have issued a statement long ago, if they had foreseen any issues/backlash with their partnership, or b) pulled the update long ago, if they are just now waking up to the possibility that this might have been a huge mistake. Doing nothing is the worst of all worlds.
i'll be sad to see you go but i understand your reasons atleast
Just to clarify. I meant Push Advertisements not Notifications. Notifications would be useful, unfortunately I never seem to receive notification that my shuttles are back etc.
I am getting advertisements for things I already own or services I already use. 😳
Hi Shan.
Could I please ask you to now expand or clarify this post of yours?
The update you have posted here today states that personal information (e.g. my DBID and my advertising ID which are emphatically personal information under EU law) is being collected and shared, despite your statement that the game considers consent is not given.
For me it really exacerbates some of my concerns. Right now, I really do not believe that TP/WRG actually understand what personal data is or what consent actually means.
Thanks.
(Sorry, I know it probably feels like I'm having a go at you and I'm really not trying to do that but I am extremely concerned that such seemingly inaccurate information was put out in a post flagged as an admin post at a time when the community was really looking for further information and reassurance.)
So, basically, when the new " Agree" Pop Up happens, we have to accept whatever TP & IronSource want to take as far as our data and whatnot, and whatever they choose 5o do with it? Or we just won't be allowed to play? When many people have invested not only our trust, but also thousands of dollars into game?!?!?
Also, why does the company need to know our battery status?!?!? Just out of curiosity.....
I've been curious about the battery status since I read it on ironSource's website. The only thing I can figure is the ad system is designed to scale down with your battery. If a 30 second ad would be too much, then you get a 20 second ad instead, that kind of thing. I don't understand why none of the text in either ironSource's site or TP's new TOS just says so if that is the reason.