Privacy review and violations

NoNameNamer

• Platform: iOS
• Region: Europe, under the territorial scope of GDPR
• Personalized ads consent: not given, not in the game, not in iOS settings
• Login: email + password

In the conditions above, my personal data is being shared with ad providers as soon as the game launches. It ranges from unique tracking IDs, to pure fingerprinting information and even my IP address. I will list ad providers and link to pastebins of unencrypted HTTPS traffic that includes URLs, request headers and payloads, response headers and payloads. In some cases, payloads are base64 encodings for which I have provided the decoded data. In other cases, an extra encryption layer prevents me from seeing what is being shared (I cannot imagine a scenario in which this encryption is necessary if not to hide privacy violations). These pastebins only serve to provide proof, I will not provide an exhaustive list of pinged URLs or the entire traffic. In most cases, I had to redact personal information and replace it with <removed> tags (including cookies, IP, ISP, country, city, zip code, geographical coordinates, mobile carrier, timezone, language, while various persistent or sessions IDs are only partially <removed> so that we can see how they are shared across the board). Other fingerprinting info is left intact as they are only useful to them.

1. Facebook - On launch, without connecting to Facebook, the game shares some data with Facebook via 2 endpoints. Even though the IP is not shared as far as I can tell (there is a fairly large encoded payload in one of the headers which I cannot read), but sufficient data is given to allow identification. An immediate red flag is sharing my available disk space among other things, which, like battery status, is a well known piece of information used in fingerprinting with major success. After these 2 payloads are sent, Facebook replies with the result of my identification, which, among other data, includes my IP.
   
   Here are the 2 requests and responses:
   POST https://web.facebook.com/adnw_logging/
   POST https://web.facebook.com/adnw_sync2/
   
   
2. Isprog.com is given screen width, height, model, country, version numbers, various IDs and the IP address
   
   GET https://wins.isprog.com/lb (new lines are added after each URL parameter for readability)
   
   
3. AdColony - everything about the screen, everything about the device, country, carrier country, platform, language, timezone, time, locale, version numbers, various IDs including one that is being shared with multiple providers, battery level + encrypted payloads. The result is that AdColony eventually responds with details about me such as: country, region/city, zip code, IP, ISP, etc.
   One of these responses also includes a list of available endpoints, and one of them is meant for reporting in-app purchases. I have not made a purchase to see if purchase info is sent anywhere.
   
   POST https://adc3-launch.adcolony.com/v4/launch
   POST https://events3alt.adcolony.com/t/5.0/session_start - encrypted payload
   POST https://events3alt.adcolony.com/t/5.0/session_end
   POST https://iosads4-6.adcolony.com/configure - IP response at the end
   POST https://wd.adcolony.com/logs - more of this sensitive info is sent to this /logs endpoint, I guess for logging?
   
   
4. IronSrc - IronSource itself logs some info related to the device and platform, including a device ID hash and "application user ID" that's shared with some of the other ad providers.
   
   GET https://logs.ironsrc.mobi/logs - decoded payload
   
   
5. Supersonicads - now owned by IronSource, much of the communication is further encrypted and unreadable. Small parts of the payload are redacted in case anyone happens to decode/decompress/decrypt them, but do let me know if you have thoughts on this - it's possible some of them are actual ads, precached on the client. Various IDs, keys and country code are readable in the URL parameter list in some requests, but most info is shared in that last request below, which includes: tracking IDs, city, country, carrier, ISP, language, device info, screen info, free disk space, small encoded payload, etc.
   
   GET https://init.supersonicads.com/sdk/v7.1.10
   POST https://outcome-ssp.supersonicads.com/mediation
   POST https://pm-gateway.supersonicads.com/auction
   GET https://outcome-cdn.supersonicads.com/rewarded-video/iab-notification/win/<id> - tracking info here
   GET https://networksdk.ssacdn.com/mobileSDKController/mobileController.html - an HTML page being fetched which includes a script that does something, possibly gets executed when ads are run - I did not dig through it.
   
   
6. Swrve - user ID, session token, unique device ID, device info, screen info, timezone, country, city, a so called "iOS token", some version numbers, and OS install date (how many in your town installed the exact same iOS on the exact same iPhone model at the exact same second?)
   
   POST https://30819.api.swrve.com/1/batch
   GET https://30819.content.swrve.com/api/1/user_resources_and_campaigns
   
   
7. Doubleclick / Google - everything about device and screen, version numbers, many different IDs with no indication of what they mean, and a couple of encoded payloads. Aside from that last thing, this looks really clean relatively speaking (no language, timezone, country, locale, carrier, etc.)
   GET https://googleads.g.doubleclick.net/getconfig/pubsetting
   GET https://googleads.g.doubleclick.net/mads/gma - most data shared here
   
   
8. AppsFlyer - an app id that is also shared with Supersonicads and Isprog, but the bulk of the information is encrypted. This endpoint is pinged just about every other action taken in the game.
   POST https://launches.appsflyer.com/api/v6.2/iosevent
   

I have decided to share this information because this looks unacceptable to me. I do not know what WRG's privacy review entailed the last time the disreputable IronSource was a hot topic, but my findings directly contradict what we have been told before, and we clearly haven't been told everything.

From WRG:

Also from WRG:


PS: If I forgot to redact some personal info, please let me know in a DM.

Peets

I actually prefer they know all that stuff.
That way I get good adds instead of boring ones.

As long as my bankaccount and money related stuff is blocked, it's ok for me.
So what if they know my region, my height, my age.

If people really wanted privacy then facebook, instagram, tiktok, etc would have failed.

(HGH)Apollo

Not seeing much issue here either. Everything we do online creates information that is collected and sold to one degree or another. At least with Ironsource I get something back, dilithium for the game and fun. I was not happy when all the complaints about Ironsource before got rid of the offer wall on iOS so I am less willing to get on board with another Ironsource attack. I was glad I was able to still use android to get offers and dilithium. Others I know were not and missed out. Offer wall dilithium got me Fencing Picard and Admiral Jameson which I was very happy to get. Do you have more proof WRG lied? Could u break it down a bit more?

Doctor 8472

Peets wrote: »

I actually prefer they know all that stuff.

That's absolutely not the point.

It is required by law in many countries that the user is informed about what information of the user is given to whom. And it is additionally required in most of these countries, that the user has to be asked for consent before using the user's data.

So, if you prefer that they know all that stuff, the legal way is that they inform you and you give consent. It is illegal, if they don't inform you and just use it - whether you would have given your consent or not!

Thus, the relevant information that you could contribute here is not whether you are ok with the usage of your data, but whether you have been informed about it and being asked for consent.
(That is, if you live in one of the many countries with reasonable laws like the GDPR. If you live in a country that does not have such laws, then your opinion is sadly considered completely irrelevant by your leaders.)


Now, a violation of these laws is vastly illegal. Just looking at the GDPR that NoNameNamer mentioned, there can be a fine of 20 million € (approx. 22.6 million $)* for each data privacy violation - and from NoNameNamer's post there are probably multiple violations (e.g. 8 of them).


Anyway, this is immensely unsettling and anyone that wants this game to continue should hope that they change their behavior regarding data privacy, otherwise a lawsuit could force the company (and the game) into bankruptcy at anytime.

Note: I am not a data privacy lawyer, so I recommend to contact a data privacy lawyer to get more details on the issue. Also, you probably want to ask at privacy@tiltingpoint.com about their point of view about it.

Live long and prosper,
Doctor 8472

PS: * actually it is 20 million € or 4 % of their annual business volume - whatever is greater

ChaosChild

Peets wrote: »

If people really wanted privacy then facebook, instagram, tiktok, etc would have failed.

I can't speak for "people", I'm only one person and I don't pretend to know the thoughts of everybody else. But speaking personally, I absolutely value my privacy and that's why I won't go anywhere near Facebook, Instagram, TikTok or a whole bunch of other similar abusers.

But if you want a more selfish reason to care about this, if they really are in breach of GDPR and get caught then the fines could bankrupt them and/or shut this game down.

guest_1386873540905984

I think that this latest infraction is reason enough for me to yet again give up on this game company.

The offerwall privacy concerns were, ironically, the reason I quit last time. With this, I think that it is safe to say that trusting anything this company says would be a mistake and giving them any of my time or money would be foolish, to say the least.

For me, the Game is uninstalled. I don't know that any explanation they offer will satisfy my renewed rage. I hope that the players who support this game with bots, calculators, discord channels and live streams also take this matter seriously enough to consider whether or not they should let a company like this continue to get away with lying to its customers.

Peets wrote: »

I actually prefer they know all that stuff.
That way I get good adds instead of boring ones.

As long as my bankaccount and money related stuff is blocked, it's ok for me.
So what if they know my region, my height, my age.

If people really wanted privacy then facebook, instagram, tiktok, etc would have failed.

And Peets, if you prefer they know all that stuff, all you have to do is opt into personalized ads, which im sure you already have. In the case of the author, they elected to not opt into personalized ads.

WRG/TP put out a very public notice about all of this privacy concern stuff, and like the author pointed out, they said that if you did not opt into the offerwall or the personalized ads, you would not be subject to the types of things that the author documented.

Therefore, the company has been caught lying, and potentially committing crimes. whether or not you think its an issue is irrelevant, unless you carry enough pull to modify international law.

I am Kirok

Doctor 8472 wrote: »

Now, a violation of these laws is vastly illegal. Just looking at the GDPR that NoNameNamer mentioned, there can be a fine of 20 million € (approx. 22.6 million $)* for each data privacy violation - and from NoNameNamer's post there are probably multiple violations (e.g. 8 of them).

Yep. Excellent work by Namer uncovering these unlawful activities.

Navarch

I suppose the only honest feedback I have is that if you believe the company is doing something unlawful: take it to the proper authorities and let them do their jobs.

Kanon

This is very unsettiling. Even if someone doesn't care about their privacy, we are all affected if in deed constitutes a violation (and it seems that this is a fact). If any of those fines hit, the game is a goner.

Peets

Doctor 8472 wrote: »

Peets wrote: »

I actually prefer they know all that stuff.

That's absolutely not the point.

It is required by law in many countries that the user is informed about what information of the user is given to whom. And it is additionally required in most of these countries, that the user has to be asked for consent before using the user's data.

I received that message the first time I launched the game.

Edit: For the original poster. He did not mention this.
But did he click the "do not sell my personal information" button?

Edit 2: Did someone actually read the privacy policy? Check topic 6.

Navarch

Quick question for Shan and others at WRG: is this something you’re looking into?

D@MN

Essentially under the Schrems II ruling , personally identifiable information should not leave the EU. under GDPR recital 30, this includes IP address and most of the other geographical information mentioned above linking to various ad providers.

If this is being transmitted specifically to the US, which is not classed as "adequate" under current GDPR ruling, it may constitute a breach.

Shan

Navarch wrote: »

Quick question for Shan and others at WRG: is this something you’re looking into?

I've just seen this thread and I can say the following:

- privacy is discussed every month to ensure that games at our studio and across Tilting Point are compliant with various privacy requirements

- consent to our Terms of Service, Privacy Policy and personalized ads is asked when installing the game.

It was also asked to all existing users when we introduced the option in the game.

These items can all be found in game in Settings -> Policy Agreement


This screenshot was taken today, from an iOS device.

Link to our terms of service: https://www.tiltingpoint.com/terms-of-service/

Link to our privacy policy: https://www.tiltingpoint.com/privacy-policy/

The privacy policy explains what kind of data can be used and why, please take the time to review it carefully if you have not done so already.

Peets

I remembered correctly that it was asked

DCPilot

That's all, folks. I'm out. I'm going to stop playing on my main and alt accounts, and uninstall the mobile app.

After the original privacy dustup over the Offer Wall, WRG told us exactly what data was being sent, which Namer included in his post. The list was not ambiguous and ended emphatically with "We can confirm that no other data is being accessed, or shared by the ironSource SDK."

Whether done intentionally or negligently, what we were told isn't true. I am dismayed at how much data is being sent beyond what was listed, and I am out of patience for WRG's continued incompetence and lack of transparency. It took more than a business day for a response to this post, and the response did not address the issue at hand in the slightest. It looks like WRG is blaming players for consenting to their data being shared, completely missing the point that Namer demonstrated data is being shared without consent and beyond the scope of what WRG listed as being shared.

Captain Idol

Shan wrote: »

Navarch wrote: »

Quick question for Shan and others at WRG: is this something you’re looking into?

I've just seen this thread and I can say the following:

- privacy is discussed every month to ensure that games at our studio and across Tilting Point are compliant with various privacy requirements

- consent to our Terms of Service, Privacy Policy and personalized ads is asked when installing the game.

It was also asked to all existing users when we introduced the option in the game.

These items can all be found in game in Settings -> Policy Agreement


This screenshot was taken today, from an iOS device.

Link to our terms of service: https://www.tiltingpoint.com/terms-of-service/

Link to our privacy policy: https://www.tiltingpoint.com/privacy-policy/

The privacy policy explains what kind of data can be used and why, please take the time to review it carefully if you have not done so already.

Please read Namers post in detail, this isn't about the consent but what we are consenting too

El Marto

Shan wrote: »

Navarch wrote: »

Quick question for Shan and others at WRG: is this something you’re looking into?

I've just seen this thread and I can say the following:

- privacy is discussed every month to ensure that games at our studio and across Tilting Point are compliant with various privacy requirements

- consent to our Terms of Service, Privacy Policy and personalized ads is asked when installing the game.

The privacy policy explains what kind of data can be used and why, please take the time to review it carefully if you have not done so already.

Did you genuinely missed all the contradicting proof that NNN just brought to the table?
The consent box is unticked and yet...

Katla

Well, this is awkward.

Peets

The consent is for the ads not the privacy policy.
You do that when you install the game.
Also did nobody actually read the privacy policy?

Kanon

Consent to personalized ads is not consent to share everything/anything. Consent was given to a partial/small/required set of personal information, needed for personalized ads, but NNN`s log are far beyond that.

[VIP0]USS Dart

Question for those who are more informed on this subject:

Does my adblocker program on my iPad help avoid the collection of data that NoNameNamer identified?

Riker's islan{DD}

[VIP0]USS Dart wrote: »

Question for those who are more informed on this subject:

Does my adblocker program on my iPad help avoid the collection of data that NoNameNamer identified?

I would highly dount it - as I belive the OP states that the data is shared on launch (i.e. during the initialisation pahse of the game)

SSR Barkley

judging by fact that this is only on page 1, most of the avid base of players that actually ever read the forums have already quit and dgaf anymore. (that's saying more about WRG and the game itself than anything)

AviTrek

SSR Barkley wrote: »

judging by fact that this is only on page 1, most of the avid base of players that actually ever read the forums have already quit and dgaf anymore. (that's saying more about WRG and the game itself than anything)

Or most of the players realize this is par for the course for mobile applications these days. Especially when as Shan pointed out we agreed to it by downloading the game.

Shan

Not consenting to personalized ads does not mean not consenting to any data being used to present you with non personalized ads.

That being said I will take a deeper look at some of the points presented and consult with our privacy team.

~peregrine~

Shan wrote: »

Not consenting to personalized ads does not mean not consenting to any data being used to present you with non personalized ads.

That being said I will take a deeper look at some of the points presented and consult with our privacy team.

Presumably, then, if I were to install your app on a platform that does not present ads at all (e.g. Windows, etc.), then your app would not collect such data as the OP outlined. Do I have that right?

Kanon

Shan wrote: »

Not consenting to personalized ads does not mean not consenting to any data being used to present you with non personalized ads.

That being said I will take a deeper look at some of the points presented and consult with our privacy team.

Yes, it doesn't mean not consenting to any data, but it specifically means not consenting to any user/device/client specific data (we are talking about ip address, country, device info, and more here). If you collect such data for a non personalized ad, you are collecting data that you don't need for the ad (that doesn't make it better) or that ad is personalized (because is different because of the data)

[RotP]Ran Airen

I have to admit that I am woefully unaware of how my digital footprint and behavior is impacting my privacy. For some reason, I shred all of my mail and junk mail but probably might as well be handing to identity thieves and asking if there is anything good in there compared to what I do online.

That being said. My understanding of this issue was that a lot of people got really upset that WRG may be sharing/allowing data to be shared with third parties (of questionable reputation). Those people were told what data was being shared and how they could opt out of it. Now it seems like the data still gets shared, you just opted out of getting personalized ads from it.

I can assure you that people were not upset that might see personalized ads. They were upset that their data was out there.

I don't know if this is where the legal winds are blowing but it seems like as long as you tell people (in a privacy policy that they have to find) that you are going to share their data the only way to actually opt out is to not use the service/site/app, etc.

Peets

I have checked 3 other mobile games and they are doing the exact same thing. (checked their privacy policy)
Then I did some digging on the web and it seems this is very common practice.

DCPilot

Peets wrote: »

I have checked 3 other mobile games and they are doing the exact same thing. (checked their privacy policy)
Then I did some digging on the web and it seems this is very common practice.

This has literally nothing to do with the issue which is WRG giving us wrong information about what is and is not shared.

When you told your mother that other kids were also sticking gum under their desks, not just you, did that get you out of trouble?

Peets

DCPilot wrote: »

When you told your mother that other kids were also sticking gum under their desks, not just you, did that get you out of trouble?

This has literally nothing to do with the issue which is a person giving you "wrong" information instead of actually reading the policy.

Also, did you actually read what they said.
"...we can confirm that we do not collect any personal information without legal basis such as consent,..."

You gave consent when installing the game.