When you told your mother that other kids were also sticking gum under their desks, not just you, did that get you out of trouble?
This has literally nothing to do with the issue which is a person giving you "wrong" information instead of actually reading the policy.
Also, did you actually read what they said.
"...we can confirm that we do not collect any personal information without legal basis such as consent,..."
I have checked 3 other mobile games and they are doing the exact same thing. (checked their privacy policy)
Then I did some digging on the web and it seems this is very common practice.
That just lowers my opinion of the entire industry. Didn’t think that was possible.
When you told your mother that other kids were also sticking gum under their desks, not just you, did that get you out of trouble?
This has literally nothing to do with the issue which is a person giving you "wrong" information instead of actually reading the policy.
Also, did you actually read what they said.
"...we can confirm that we do not collect any personal information without legal basis such as consent,..."
I have checked 3 other mobile games and they are doing the exact same thing. (checked their privacy policy)
Then I did some digging on the web and it seems this is very common practice.
That just lowers my opinion of the entire industry. Didn’t think that was possible.
The ads are what makes mobile games that don’t have a subscription possible. You either pay with a service, an upfront cost of purchase, or with some of your information.
I suppose there are two distinct discussions in this topic. Sorry in advance for the long post.
First, IronSource
This is the third party company that operates the Offer Wall and which was part of the previous privacy concerns in this community. It is also the only one for which WRG made some public statements.
The most important part of the statement is what kind of potentially personally identifiable information (PII) is being collected and shared with the company as part of the Tilting Point Privacy Policy without user consent for personalized ads. Or in other words: if you start the app on Android or iOS, this data will be shared with third parties, period.
Thanks to NoNameNamer for looking into the details and decrypting the information packet. The only thing that I can see at first glance, which was not mentioned by WRG previously, is a unique ID that identifies the device itself:
"deviceid": "336FD030-5912-4B67-9000-<removed>"
My question to TP/WRG: is this unique ID new, if not why was it omitted from the previous privacy statement regarding IronSource? This goes beyond standard system metrics or data required to associate a Timelines player with their account.
Second, everyone else
I didn't know any of the specifics that have been unearthed by the thread-starter, but I was well aware in general, that advertising companies collected and logged PII data points far in excess of the ones necessary to provide basic services.
This should of course be a concern for TP/WRG, since they're ultimately responsible for any third-party tool they integrate into their game(s). After all, legally speaking under the GDPR, the controller (operator of the game, thus TP/WRG) needs to ensure privacy compliance of any third-party company that is contracted to process personal data. These processors only count as extensions of the controlling entity and any responsibility is shared.
But, as unpopular as the previously expressed opinion may seem, it's also not something we can blame WRG for. The undeniable fact of the matter is, that games like this wouldn't survive or exist in the first place, without the monetization of non-spending players.
Ultimately, the responsibility to protect someone's privacy lies with each and every person. If you informed yourself, you'd know that Google/Doubleclick Ads has been fined for GDPR violations in the past and this is likely not the only or last time this has happened to an ad network. What consequences people should take is up to them.
My own personal consequence has always been to play mobile games exclusively on an emulator or a separate device, use a separate Google account and a VPN/proxy. In the case of Timelines, I accept the annoyance and privacy risk of advertising for the in-game benefit they provide. In other games (back when I played more than only TImelines), I blocked advertising networks on a DNS level.
My privacy advice if you love Timelines but the above is a step too far for you: play the game on Steam. Its terms of service for game publishers is stricter than mobile. It's why there are no third-party ads allowed in Steam games.
I get the annoyance of offer wall and Ironsource but they can be helpful too. With them I was able to get dilithium to get Admiral Mark Jameson and Fencing Picard. Able to try exclusive treasures packs I could never afford to buy as well as get many more crew slots and other crew. These things would not have been possible otherwise. Offer wall allows non whales to compete and get luxury items in game. To not just have to wait for portal updates but actually go after things in game.
I get the annoyance of offer wall and Ironsource but they can be helpful too. With them I was able to get dilithium to get Admiral Mark Jameson and Fencing Picard. Able to try exclusive treasures packs I could never afford to buy as well as get many more crew slots and other crew. These things would not have been possible otherwise. Offer wall allows non whales to compete and get luxury items in game. To not just have to wait for portal updates but actually go after things in game.
I don't have those awesome offer wall deals. They **tsk tsk** here.
I would be surprised if they gave an answer.
Everything is clear in the policy agreement.
And it's also fairly clear that they're not sticking to that policy agreement. That's why we need an answer.
I have not seen any violation.
While I do not have knowledge of what your profession is, education is, or really anything about you at all, I would speculate that as you are not offering legal services to the gamers on this forum you are not a lawyer, nor an expert in privacy matters. If you were a representative of the company who was an expert in these matters, it would be extremely foolish to create an account to go "tit for tat" against forum dwellars, so similarly, I can speculate and deduce that you are not a representative of these matters for the company.
As such, I do not think that your assessment, and opinion, that you have "not seen any violation" really matters at all. In fact, the only thing I think that matters is that you have proven yourself time and time again to be a troll and apologist for wicked realm games.
The companies silence on this matter speaks volumes. They are absolutely in violation of international privacy laws. They are simply gambling that no one is willing to take them to task over it.
I would be surprised if they gave an answer.
Everything is clear in the policy agreement.
And it's also fairly clear that they're not sticking to that policy agreement. That's why we need an answer.
I have not seen any violation.
While I do not have knowledge of what your profession is, education is, or really anything about you at all, I would speculate that as you are not offering legal services to the gamers on this forum you are not a lawyer, nor an expert in privacy matters. If you were a representative of the company who was an expert in these matters, it would be extremely foolish to create an account to go "tit for tat" against forum dwellars, so similarly, I can speculate and deduce that you are not a representative of these matters for the company.
As such, I do not think that your assessment, and opinion, that you have "not seen any violation" really matters at all. In fact, the only thing I think that matters is that you have proven yourself time and time again to be a troll and apologist for wicked realm games.
The companies silence on this matter speaks volumes. They are absolutely in violation of international privacy laws. They are simply gambling that no one is willing to take them to task over it.
You are predicting your own words.
People who not agree they are in violation should be an expert.
People who agree that they are in violation should not be an expert.
Did you actually read the entire privacy policy or are just taking the word of other forum posters? I did.
If everyone believes it, it becomes the truth even if it's not the truth.
People who not agree they are in violation should be an expert.
People who agree that they are in violation should not be an expert.
You are putting words in my mouth. I make no assertion about others, I made a speculative and deductive statement about who and what you are. I admitted as much in my statement.
Did you actually read the entire privacy policy or are just taking the word of other forum posters? I did.
If everyone believes it, it becomes the truth even if it's not the truth.
I too, read the entire privacy policy. It is akin to a "ride at your own risk" sign on a roller coaster. However, if the owner/operator of that hypothetical roller coaster is found to be negligent or deceptive about perceived safety of said roller coaster, then they are criminally liable for accidents.
Similarly, it would appear that from the evidence that the author of this thread has presented, there is a possibility that the game owner/developer is in violation of international privacy laws. Even if the "privacy policy" that the company created (on its own accord) was intended to skirt around those international laws, the privacy policy is not a shield against negligent or deceptive behavior.
Again, you are a troll and a wicked realms games apologist. I do not take you seriously at all, but given that you have dedicated every post you have made in this thread to spreading misinformation, I felt it was appropriate to put you back into your place.
Similarly, it would appear that from the evidence that the author of this thread has presented, there is a possibility that the game owner/developer is in violation of international privacy laws. Even if the "privacy policy" that the company created (on its own accord) was intended to skirt around those international laws, the privacy policy is not a shield against negligent or deceptive behavior.
While I do not have knowledge of what your profession is, education is, or really anything about you at all, I would speculate that as you are not offering legal services to the gamers on this forum you are not a lawyer, nor an expert in privacy matters. If you were a representative of the company who was an expert in these matters, it would be extremely foolish to create an account to go "tit for tat" against forum dwellars, so similarly, I can speculate and deduce that you are not a representative of these matters for the company.
The same goes for the author.
It is easy to spread misinformation.
The issue:
Personalized ads consent: not given, not in the game, not in iOS settings
When you are launching the game for the first time, you give permission for the privacy policy. Not for personal ads (that is a separate button) but for information that is send to 3rd parties. It is clearly mentioned in the privacy policy. Which the author showed.
So where is this evidence of the privacy violation?
Where is the evidence of the violation of international privacy laws?
If it is stated in the privacy laws is it then in violation of the GDPR?
I’m not an expert here, so I don’t know if TP has violated any laws or its privacy policy. I’m not an expert in technology and I don’t have an Android phone, so I have no basis to validate the claims made in this post.
However, it is odd that WRG/TP has not responded to these claims (aside from saying that they’re looking into it) after this thread has been active for several weeks. It definitely gives me the impression that these claims are not frivolous and that there may be more truth to them than one would hope.
I will update this thread when I have additional information to share, I do not have at this time.
I am not an expert and I require additional help from various teams, one being the privacy/legal team.
We do take this seriously and have every intention of examining whether adjustments are needed or not.
I had uninstalled all of my non-PC clients immediately after posting these findings. These client versions on the PC (Steam, Windows Store) do not support ads and do not seem to initialize the ironSource SDK which is the main culprit here.
WRG code seems to do the right thing by telling the ironSource SDK that consent has not been given. But that is what happens when you work with an extremely shady company and give their code free reins to run inside your product.
This is an Israeli company that specialized in adware and used to create invasive browser toolbars and software installers, the ones that would hijack your browser and inject their own ads and popups or trick you into installing unwanted software. (And their installers are still in use today - I had to recently install the Android emulator MEmu for a comparative study and the rather permissive Windows Defender immediately screamed and quarantined the file because of ironSource's installer). I understand that ironSource is now a multi-billion dollar company thanks to their hit product that serves ads from the highest bidder, but it does not mean that it is a trustworthy partner or that it operates in full compliance with applicable laws. They have already been found guilty and fined for severe privacy violations (tracking and building profiles on little children) and if you are curious enough to read the minutes of their recent shareholders meetings, you will see how they are aware that privacy laws generally do not keep up with the industry (and their workarounds -- hint: fingerprinting techniques such as remaining battery life or free disk space which I have highlighted in my original post) and they literally warn shareholders that they can not guarantee not losing more lawsuits down the line.
WRG is at fault here for working with this company when there are alternatives. WRG is at fault here for not constantly auditing the ironSource SDK for privacy risks as the cost of doing business with them. It is WRG's fault for lying to us about what data is being collected even if unknowingly (by passing on what was documented by ironSource at the time). It is WRG's fault for lying to us in their own Privacy Policy.
Privacy Policy:
When you see ads in our Games, we may share your Advertising ID and IP address with our advertising partners if you have given your consent to the use of your data for personalized ads. Our advertising partners may also collect non-personal information directly from our Games through technologies such as software development kits (SDKs).
I have clearly shown that 1. all of this data (and more) is shared without consent for personalized ads and 2. that all of this data is shared without seeing any ad whatsoever.
I brought this to light 1.5 months ago and we still have no response from WRG. Do we really have to take action in other ways to get any traction on these issues?
When you see ads in our Games, we may share your Advertising ID and IP address with our advertising partners if you have given your consent to the use of your data for personalized ads. Our advertising partners may also collect non-personal information directly from our Games through technologies such as software development kits (SDKs).
I have clearly shown that 1. all of this data (and more) is shared without consent for personalized ads and 2. that all of this data is shared without seeing any ad whatsoever.
It does not matter if you turn on the consent for personalized ads or not.
They'll still share. For Personalized ads they'll share more.
The consent you give there is only for the extra sharing.
If you turn it off, they'll still share with 3rd parties as you have clearly shown.
directly from you and/or your device by automatic means when you use our Services or interact with our ads outside of our Services (for example, on third-party websites or applications), including through cookies or similar technologies or software development kits (SDKs),
The two ways:
1. For personalized ads (Privacy policy 3.2)
2. The share data with 3rd parties (Privacy policy 5)
If you don't want them to sell it, use the "Do not sell my personal information" button.
Where do you find it?
Settings -> View privacy policy -> Do not sell my personal information
Privacy Policy 9: Your Rights:
You may also withdraw your consent for processing your data at any time. Please be aware that we may continue processing your data despite your withdrawal of consent if we also have another lawful basis for doing so. To access your data in our Games or to request its deletion, please contact us at privacy@tiltingpoint.com. To unsubscribe from our marketing communications, please use the unsubscribe link provided in the messages we send. The unsubscribe link is typically found at the end of the message.
It does not matter if you turn on the consent for personalized ads or not.
That is the issue.
They'll still share. For Personalized ads they'll share more.
The consent you give there is only for the extra sharing.
False. I took at a trace of the network traffic with and without the consent bit set. WRG correctly sets the bit in the ironSource SDK, but the data shared is exactly the same with or without consent.
directly from you and/or your device by automatic means when you use our Services or interact with our ads outside of our Services (for example, on third-party websites or applications), including through cookies or similar technologies or software development kits (SDKs),
This does not refer to personally identifiable data given via consent for personalized ads, no matter what your made-up definition of "personalized ads" is. In the industry, this personalized experience has one and one meaning only: allow us to track and identify you personally, which is beyond collecting data such as region/country and other non-identifiable data and analytics which are sufficient for serving ads and running Services. I also did not interact with ads or 3rd party Services whatsoever.
The selling of data was never an issue and it is a separate matter.
@WRG
I hope WRG acts knowledgably and professionally on this serious matter and does not simply stall to let the issue be somehow solved in the court of public opinion by the random spewing of bored and ignorant loud-mouths.
the data shared is exactly the same with or without consent.
This is an important part that you forgot to share?
Also what info are they collecting that is not in policy 4. "What data do we proces" ?
I could have made a mistake but all the data you mention is in there.
Also they mention that they share the data they collect in policy 6.
If this is all legal I don't know but as far I can see it is in there.
Which you give consent when installing the game.
Although it is strange that when you confirm consent for adds that there is no difference.
Also, no need to insult people it does not bring anything to the discussion, quite the contrary.
Then file a GDPR complain and if they will be find guilty the fine will most likely kill the company as they are huge and if they are not then stop spending time with the game.
One problem with
"If you don't want them to sell it, use the "Do not sell my personal information" button.
Where do you find it?
Settings -> View privacy policy -> Do not sell my personal information"
The Opting Out window starts with, "If you are a California resident, you have the right to request that we not sell your data."
I am not a California resident, so I apparently do not have the right to use this button.
Comments
That just lowers my opinion of the entire industry. Didn’t think that was possible.
The ads are what makes mobile games that don’t have a subscription possible. You either pay with a service, an upfront cost of purchase, or with some of your information.
Social media is even worse.
Amen. Social media should be killed with fire. I’d like to think mobile gaming doesn’t deserve the same fate.
First, IronSource
This is the third party company that operates the Offer Wall and which was part of the previous privacy concerns in this community. It is also the only one for which WRG made some public statements.
The most important part of the statement is what kind of potentially personally identifiable information (PII) is being collected and shared with the company as part of the Tilting Point Privacy Policy without user consent for personalized ads. Or in other words: if you start the app on Android or iOS, this data will be shared with third parties, period.
Thanks to NoNameNamer for looking into the details and decrypting the information packet. The only thing that I can see at first glance, which was not mentioned by WRG previously, is a unique ID that identifies the device itself:
My question to TP/WRG: is this unique ID new, if not why was it omitted from the previous privacy statement regarding IronSource? This goes beyond standard system metrics or data required to associate a Timelines player with their account.
Second, everyone else
I didn't know any of the specifics that have been unearthed by the thread-starter, but I was well aware in general, that advertising companies collected and logged PII data points far in excess of the ones necessary to provide basic services.
This should of course be a concern for TP/WRG, since they're ultimately responsible for any third-party tool they integrate into their game(s). After all, legally speaking under the GDPR, the controller (operator of the game, thus TP/WRG) needs to ensure privacy compliance of any third-party company that is contracted to process personal data. These processors only count as extensions of the controlling entity and any responsibility is shared.
But, as unpopular as the previously expressed opinion may seem, it's also not something we can blame WRG for. The undeniable fact of the matter is, that games like this wouldn't survive or exist in the first place, without the monetization of non-spending players.
Ultimately, the responsibility to protect someone's privacy lies with each and every person. If you informed yourself, you'd know that Google/Doubleclick Ads has been fined for GDPR violations in the past and this is likely not the only or last time this has happened to an ad network. What consequences people should take is up to them.
My own personal consequence has always been to play mobile games exclusively on an emulator or a separate device, use a separate Google account and a VPN/proxy. In the case of Timelines, I accept the annoyance and privacy risk of advertising for the in-game benefit they provide. In other games (back when I played more than only TImelines), I blocked advertising networks on a DNS level.
My privacy advice if you love Timelines but the above is a step too far for you: play the game on Steam. Its terms of service for game publishers is stricter than mobile. It's why there are no third-party ads allowed in Steam games.
I don't have those awesome offer wall deals. They **tsk tsk** here.
Proud member of Patterns of Force
Captain Level 99
Played since January 2017
TP: Do better!!!
It’s been two weeks, is there any update from
the privacy team?
Not yet.
They'd actually have to be looking for one to give us an update.
This is YET ANOTHER one of their ignore them until it goes away examples.
*cough* and bug *cough*
Everything is clear in the policy agreement.
I didn't know you still played, just thought you lurked in the fleet wine cellar....
And it's also fairly clear that they're not sticking to that policy agreement. That's why we need an answer.
Proud member of Patterns of Force
Captain Level 99
Played since January 2017
TP: Do better!!!
I have not seen any violation.
While I do not have knowledge of what your profession is, education is, or really anything about you at all, I would speculate that as you are not offering legal services to the gamers on this forum you are not a lawyer, nor an expert in privacy matters. If you were a representative of the company who was an expert in these matters, it would be extremely foolish to create an account to go "tit for tat" against forum dwellars, so similarly, I can speculate and deduce that you are not a representative of these matters for the company.
As such, I do not think that your assessment, and opinion, that you have "not seen any violation" really matters at all. In fact, the only thing I think that matters is that you have proven yourself time and time again to be a troll and apologist for wicked realm games.
The companies silence on this matter speaks volumes. They are absolutely in violation of international privacy laws. They are simply gambling that no one is willing to take them to task over it.
You are predicting your own words.
People who not agree they are in violation should be an expert.
People who agree that they are in violation should not be an expert.
Did you actually read the entire privacy policy or are just taking the word of other forum posters? I did.
If everyone believes it, it becomes the truth even if it's not the truth.
There is no contradiction in the logic used in my response to your statement.
You are putting words in my mouth. I make no assertion about others, I made a speculative and deductive statement about who and what you are. I admitted as much in my statement.
I too, read the entire privacy policy. It is akin to a "ride at your own risk" sign on a roller coaster. However, if the owner/operator of that hypothetical roller coaster is found to be negligent or deceptive about perceived safety of said roller coaster, then they are criminally liable for accidents.
Similarly, it would appear that from the evidence that the author of this thread has presented, there is a possibility that the game owner/developer is in violation of international privacy laws. Even if the "privacy policy" that the company created (on its own accord) was intended to skirt around those international laws, the privacy policy is not a shield against negligent or deceptive behavior.
Again, you are a troll and a wicked realms games apologist. I do not take you seriously at all, but given that you have dedicated every post you have made in this thread to spreading misinformation, I felt it was appropriate to put you back into your place.
While I do not have knowledge of what your profession is, education is, or really anything about you at all, I would speculate that as you are not offering legal services to the gamers on this forum you are not a lawyer, nor an expert in privacy matters. If you were a representative of the company who was an expert in these matters, it would be extremely foolish to create an account to go "tit for tat" against forum dwellars, so similarly, I can speculate and deduce that you are not a representative of these matters for the company.
The same goes for the author.
It is easy to spread misinformation.
The issue:
Personalized ads consent: not given, not in the game, not in iOS settings
When you are launching the game for the first time, you give permission for the privacy policy. Not for personal ads (that is a separate button) but for information that is send to 3rd parties. It is clearly mentioned in the privacy policy. Which the author showed.
So where is this evidence of the privacy violation?
Where is the evidence of the violation of international privacy laws?
If it is stated in the privacy laws is it then in violation of the GDPR?
My evidence:
Source: https://www.trilateralresearch.com/the-cnil-on-data-sharing-with-third-parties/
However, it is odd that WRG/TP has not responded to these claims (aside from saying that they’re looking into it) after this thread has been active for several weeks. It definitely gives me the impression that these claims are not frivolous and that there may be more truth to them than one would hope.
I am not an expert and I require additional help from various teams, one being the privacy/legal team.
We do take this seriously and have every intention of examining whether adjustments are needed or not.
WRG code seems to do the right thing by telling the ironSource SDK that consent has not been given. But that is what happens when you work with an extremely shady company and give their code free reins to run inside your product.
This is an Israeli company that specialized in adware and used to create invasive browser toolbars and software installers, the ones that would hijack your browser and inject their own ads and popups or trick you into installing unwanted software. (And their installers are still in use today - I had to recently install the Android emulator MEmu for a comparative study and the rather permissive Windows Defender immediately screamed and quarantined the file because of ironSource's installer). I understand that ironSource is now a multi-billion dollar company thanks to their hit product that serves ads from the highest bidder, but it does not mean that it is a trustworthy partner or that it operates in full compliance with applicable laws. They have already been found guilty and fined for severe privacy violations (tracking and building profiles on little children) and if you are curious enough to read the minutes of their recent shareholders meetings, you will see how they are aware that privacy laws generally do not keep up with the industry (and their workarounds -- hint: fingerprinting techniques such as remaining battery life or free disk space which I have highlighted in my original post) and they literally warn shareholders that they can not guarantee not losing more lawsuits down the line.
WRG is at fault here for working with this company when there are alternatives. WRG is at fault here for not constantly auditing the ironSource SDK for privacy risks as the cost of doing business with them. It is WRG's fault for lying to us about what data is being collected even if unknowingly (by passing on what was documented by ironSource at the time). It is WRG's fault for lying to us in their own Privacy Policy.
Privacy Policy:
I have clearly shown that 1. all of this data (and more) is shared without consent for personalized ads and 2. that all of this data is shared without seeing any ad whatsoever.
I brought this to light 1.5 months ago and we still have no response from WRG. Do we really have to take action in other ways to get any traction on these issues?
It does not matter if you turn on the consent for personalized ads or not.
They'll still share. For Personalized ads they'll share more.
The consent you give there is only for the extra sharing.
If you turn it off, they'll still share with 3rd parties as you have clearly shown.
The two ways:
1. For personalized ads (Privacy policy 3.2)
2. The share data with 3rd parties (Privacy policy 5)
If you don't want them to sell it, use the "Do not sell my personal information" button.
Where do you find it?
Settings -> View privacy policy -> Do not sell my personal information
Privacy Policy 9: Your Rights:
False. I took at a trace of the network traffic with and without the consent bit set. WRG correctly sets the bit in the ironSource SDK, but the data shared is exactly the same with or without consent.
This does not refer to personally identifiable data given via consent for personalized ads, no matter what your made-up definition of "personalized ads" is. In the industry, this personalized experience has one and one meaning only: allow us to track and identify you personally, which is beyond collecting data such as region/country and other non-identifiable data and analytics which are sufficient for serving ads and running Services. I also did not interact with ads or 3rd party Services whatsoever.
The selling of data was never an issue and it is a separate matter.
@WRG
I hope WRG acts knowledgably and professionally on this serious matter and does not simply stall to let the issue be somehow solved in the court of public opinion by the random spewing of bored and ignorant loud-mouths.
This is an important part that you forgot to share?
Also what info are they collecting that is not in policy 4. "What data do we proces" ?
I could have made a mistake but all the data you mention is in there.
Also they mention that they share the data they collect in policy 6.
If this is all legal I don't know but as far I can see it is in there.
Which you give consent when installing the game.
Although it is strange that when you confirm consent for adds that there is no difference.
Also, no need to insult people it does not bring anything to the discussion, quite the contrary.
"If you don't want them to sell it, use the "Do not sell my personal information" button.
Where do you find it?
Settings -> View privacy policy -> Do not sell my personal information"
The Opting Out window starts with, "If you are a California resident, you have the right to request that we not sell your data."
I am not a California resident, so I apparently do not have the right to use this button.