Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Server implementation leads to GDPR violation by everybody using it #17534

Closed
jrb0001 opened this issue Dec 31, 2019 · 33 comments · Fixed by #17575
Closed

Server implementation leads to GDPR violation by everybody using it #17534

jrb0001 opened this issue Dec 31, 2019 · 33 comments · Fixed by #17575

Comments

@jrb0001
Copy link
Contributor

@jrb0001 jrb0001 commented Dec 31, 2019

The server sends the IP address of a player to all other players. IP addresses are considered personal data so distributing it requires consent of the data subject. I haven't seen any server asking for this and the current protocol also doesn't really allow implementing such a feature.

Related issues: #15647, #17343, #17529

grafik

@jrb0001

This comment has been minimized.

Copy link
Contributor Author

@jrb0001 jrb0001 commented Dec 31, 2019

@OpenRA/server-hosts The GDPR fines are huge (10M/20M) so you might want to do something about this before some troll comes up with the great idea of filing complaints with their DPA or taking legal actions.

@abmyii

This comment has been minimized.

Copy link
Contributor

@abmyii abmyii commented Dec 31, 2019

See #17343 where I also brought up this issue, and discussion that followed.

@Papi94

This comment has been minimized.

Copy link

@Papi94 Papi94 commented Dec 31, 2019

GDPR is a troll policy , public ip addresses can not lead to a player being identified without a warrant to the relevant isp , therefore shouldn't be consider personally identifiable information. But unfortunately the policy maker trolls over in the EU have come up with this policy and threatened the world with fines up to 20 million. So yes i'd say it's probably reasonable to have some agreement for players when they join a server. Maybe come up with a boiler plate agreement that server hosts could modify as they see fit. This would probably need to be a server specific agreement, rather than one that displayed on start up, it would need to be displayed upon joining a server, as each server host would be considered a data processor according to GDPR. I wonder how anyone in the EU is using bittorrent these days, GDPR is such a troll policy.

@pchote

This comment has been minimized.

Copy link
Member

@pchote pchote commented Dec 31, 2019

#17529 (comment) should resolve this.

@jrb0001

This comment has been minimized.

Copy link
Contributor Author

@jrb0001 jrb0001 commented Dec 31, 2019

@pchote Removing the last octet is stupid in my opinion, just remove it completely. And what about IPv6? Even though the master server still doesn't support it, direct connect works.

@Papi94 You are wrong. If I give you my IP address, you just have to do a simple query to the RIPE DB and you will get:

  • my full name
  • my postal address
  • my email address
  • my phone number

No need for a warrant or anything, that information is public under the conditions of the RIPE DB.

@Papi94

This comment has been minimized.

Copy link

@Papi94 Papi94 commented Dec 31, 2019

@pchote Removing the last octet is stupid in my opinion, just remove it completely. And what about IPv6? Even though the master server still doesn't support it, direct connect works.

@Papi94 You are wrong. If I give you my IP address, you just have to do a simple query to the RIPE DB and you will get:

  • my full name
  • my postal address
  • my email address
  • my phone number

No need for a warrant or anything, that information is public under the conditions of the RIPE DB.

Respectfully, unless you are a service provider i will not get your information. For example the below is a whois lookup of my ip address . It doesnt even show the correct state.

Source: whois.arin.net
IP Address: ***
Name: NWT-CT-75-136-64
Handle: NET-75-136-64-0-1
Registration Date: 11/27/06
Range: ****
Org: Charter Communications
Org Handle: CC04
Address: 6399 S Fiddlers Green Circle
City: Greenwood Village
State/Province: CO
Postal Code: 80111
Country: United States

@jrb0001

This comment has been minimized.

Copy link
Contributor Author

@jrb0001 jrb0001 commented Dec 31, 2019

Sure, but what applies to you doesn't automatically apply to everybody else. I am a LIR (RIPE region) as an individual so all my AS(es) and addresses are directly linked to my contact information. I also sponsor PI resources (and make PA assignments) to a few other individuals and all of them chose to have their contact info public as well. The alternative for them would have been to use the contact info of their LIR (me) instead. So yes, if you have IP addresses, then there is no reliable way to filter out a) static addresses (or "dynamic" addresses that stay the same for a long time, for example more than a year), b) addresses with an individual assignment to an individual, b) addresses with an individual assignment to an individual who chose to use the contact info of the LIR which happens to be an individual as well.

Just trust me on this, I can't prove it without giving enough information to find everything about me in the RIPE DB.

@anjew175

This comment has been minimized.

Copy link
Contributor

@anjew175 anjew175 commented Dec 31, 2019

@jrb0001
That sounds like an issue with the user giving their personal information out and the privacy policy of the service allowing anyone to query their database for personal information.

Also aren't typically LIR's business' or organisations? If this is an actual concern of yours, you can easily make your contact information akin to a business rather than outputting your home address and phone number.

That should be a concern for you regardless of whether OpenRA is displaying your IP or not. as there is no way to actually stop a server owner (or in fact, any person who has services you connect to) recording these IP's. Even if obfuscated somehow, wireshark could easily identify any foreign connections. These concerns of yours still exist regardless of what happens to IPs

@jrb0001

This comment has been minimized.

Copy link
Contributor Author

@jrb0001 jrb0001 commented Dec 31, 2019

@anjew175 If I wanted to "make your contact information akin to a business rather than outputting your home address and phone number", I would have to create said business, send official documentation to RIPE and request a transfer. It is not as easy as you make it sound and I decided against it for reasons.

If a server owner decides to look my information up, then he most likely has a legitimate reason to do so (unintended abuse, needs help for debugging, stuff like that) and then it should be as easy for him as possible to contact me. What isn't ok is if he systematically publishes the addresses unless there is a strong technical reason to do so (hint: that never applied and also never happened outside of openra afaik).

But please let's get back to the topic of this ticket. If somebody wants to discuss my reasons and stuff like that, just ping me on IRC and I will reply as soon as I see it.

@Mailaender

This comment has been minimized.

Copy link
Member

@Mailaender Mailaender commented Jan 1, 2020

Privately run servers may not be suspect to GDPR laws according to Article 2, Section 2 c) GDPR.

@jrb0001

This comment has been minimized.

Copy link
Contributor Author

@jrb0001 jrb0001 commented Jan 1, 2020

  1. This Regulation does not apply to the processing of personal data:
    (c) by a natural person in the course of a purely personal or household activity;

Online gaming isn't a "purely personal" activity in my opinion (random other people are involved and you most likely don't even know them in person) and the household part definitely doesn't apply. It all comes down to interpretation and I prefer to stay on the safe side in such situations but feel free to take the risk if you want.

@ghost

This comment has been minimized.

Copy link

@ghost ghost commented Jan 1, 2020

Privately run servers may not be suspect to GDPR laws according to Article 2, Section 2 c) GDPR.

Online gaming isn't a "purely personal" activity

Online gaming may be (from client perspective), but providing and maintaining a public multiplayer web server probably is not. I think doing so is very similar to "providing the means for processing personal data for such personal or household activities", see recital 18, for exmple here: https://gdpr-info.eu/recitals/no-18/.

IP addresses are considered personal data so distributing it requires consent of the data subject.

Not necessarily consent but any legal basis from Art 6 GDPR. Since processing of the IP address is a technical requirement to offer/use the service and thus very likely withing the legitimate interest (see Art. 6 (1) lit. f GDPR) the question about the legal basis is a non-issue. The real issue here is that you need to inform subjects when collecting data from them as told in Art. 13 GDPR. This is something you already can do without changes to the server implementation.

Show an automatic message when somebody joins that tells

  • what personal data you collect (IP/username etc)
  • that this information is passed to all other clients, saved in replays that are stored on each clients device
  • that you collect and distribute this data as it is necessary to offer the online multiplayer server
  • that offering the multiplayer server is also the interest you pursue with the processing of personal data
  • any other purposes you use the personal information for (server-side ban list?)
  • information about how long the data is stored (note that you may only store the data as long as it is needed for the purpose it was collected for).
  • your contact information
  • that subjects can not object the processing as it is technically required to offer the service.

Disclaimer: IANAL

@jrb0001

This comment has been minimized.

Copy link
Contributor Author

@jrb0001 jrb0001 commented Jan 1, 2020

@reallynotarobot Can you explain the technical requirement to publish the IP addresses of all clients? The server obviously needs it to maintain the connection, but the clients only interact via the server. I also don't see why replays would require it and the same applies to savegames.

Otherwise your list looks correct to me. Also a good point about the username (and more importantly the authentication system/forum account in general).

Regarding Art. 13 GDPR: The only mechanism for that I can see so far is the motd. But how am I (as a player) supposed to read that and exercise my rights if the admin decides to kick/ban me immediately? I don't have enough time to read it in that case. For example Art. 21 GDPR gives me the right to object to the processing but how am I supposed to do that if I don't even know what is processed for which purpose and by whom?

In my opinion, it would be a much better approach to do the following:

  • Don't store/process/publish information if it isn't required (IP address: the socket needs to stay alive obviously but everything else is optional).
  • Ask for explicit consent before sharing the data ("Do you want to use your OpenRA forum account to prove your identity to this server, all connected players and associate it with the replay?").
  • Give server owner a way to show a dialog to the player (with accept/reject button, maybe more flexible?) before anything else is done with the connection in case they want to do more with the data (ranking system or whatever other features you can think of).
@pchote

This comment has been minimized.

Copy link
Member

@pchote pchote commented Jan 1, 2020

Ask for explicit consent before sharing the data ("Do you want to use your OpenRA forum account to prove your identity to this server, all connected players and associate it with the replay?").

This is covered by the forum privacy policy that players agree to as part adding a key to their account.

@jrb0001

This comment has been minimized.

Copy link
Contributor Author

@jrb0001 jrb0001 commented Jan 1, 2020

@pchote The forum privacy policy only matters for game servers if the owner of the forum is the data controller and all game server operators are only processors. Does the owner of the forum have a contract (or similar) that satisfies Art. 28 GDPR with every single game server operator (which includes players if they decide to host from within the game). I don't remember agreeing to anything before hosting my first game... Or how is the forum owner compliant with Art 28 (1) GDPR without that contract? I don't think that's a good way to look at it to be honest.

@ghost

This comment has been minimized.

Copy link

@ghost ghost commented Jan 1, 2020

@jrb0001

Can you explain the technical requirement to publish the IP addresses of all clients? The server obviously needs it to maintain the connection, but the clients only interact via the server. I also don't see why replays would require it and the same applies to savegames.

Otherwise your list looks correct to me. Also a good point about the username (and more importantly the authentication system/forum account in general).

Regarding Art. 13 GDPR: The only mechanism for that I can see so far is the motd. But how am I (as a player) supposed to read that and exercise my rights if the admin decides to kick/ban me immediately? I don't have enough time to read it in that case. For example Art. 21 GDPR gives me the right to object to the processing but how am I supposed to do that if I don't even know what is processed for which purpose and by whom?

In my opinion, it would be a much better approach to do the following:

* Don't store/process/publish information if it isn't required (IP address: the socket needs to stay alive obviously but everything else is optional).

* Ask for explicit consent _before_ sharing the data ("Do you want to use your OpenRA forum account to prove your identity to this server, all connected players and associate it with the replay?").

* Give server owner a way to show a dialog to the player (with accept/reject button, maybe more flexible?) _before_ anything else is done with the connection in case they want to do more with the data (ranking system or whatever other features you can think of).

I only had the transmissions in my mind so "technical requirement" could be wrong for storing IP-addresses. If it is wrong in that context, the data should probably not be stored there or only in an anonymized way.

Good point about the limitations of the motd. Instead the information (or any other text server owners would like to include) could be shown in a new info-widget in the server browser that could be accessible via a button when selecting a server. Remember that the right to object in Art. 21 GDPR depends on "grounds relating to your particular situation" unless the data is processed for direct marketing purposes. So the subject has to demonstrate that, which is also part of the reason why I'm not convinced that the consent model is needed/desirable.

There is the burden of documenting consent in Art. 7 (1) GDPR, the problem with getting valid consent if children are subjects and the lower "entry barrier" to the right to erasure in Art. 17 (1) GDPR when processing is based on consent.

This is covered by the forum privacy policy that players agree to as part adding a key to their account.

The forum privacy policy only matters for game servers if the owner of the forum is the data controller and all game server operators are only processors.

Regarding the data that servers request from the forum, I think this is a case of Art. 14 GDPR so you would have to inform about getting this public information from the forum controller etc. (identical to Art. 13 GDPR otherwise unless I remember it wrong).

I'm quite sure that server owners are not data processors since they aren't bound by instructions (of whom anyway?). The forum policy of course does not apply to you as a server controller and only matters in the relation between subject and forum controller. As I understand it, since processing happens to the same extend for the same purposes, you can refer to the consent given to the forum controller as legal basis but I'm a bit unsure and don't know details.

@anjew175

This comment has been minimized.

Copy link
Contributor

@anjew175 anjew175 commented Jan 2, 2020

Isn't security (showing IP in game) and archival (IP in replays) considered legitimate purposes to process IP's?
IP is used as a security measure by server owners and players to remove people who may be disruptive to the game or actually breaking the law (hate speech/death threats). It's a measure used by countless games and servers for the purpose of protecting the integrity of the game.

@Mailaender

This comment has been minimized.

Copy link
Member

@Mailaender Mailaender commented Jan 2, 2020

It's impossible for a p2p game like OpenRA to hide IPs. I suggest for people who get scared by this to update their MOTD and add some kind of disclaimer. This is definitely overreacting.

@jrb0001

This comment has been minimized.

Copy link
Contributor Author

@jrb0001 jrb0001 commented Jan 2, 2020

@Mailaender OpenRA is only p2p from the game logic perspective. It isn't p2p from a networking perspective because everything always goes through the server. So there really isn't a technical reason why the addresses must be distributed to all clients. In fact my own server implementation doesn't do it and everything works just fine.

@abmyii

This comment has been minimized.

Copy link
Contributor

@abmyii abmyii commented Jan 2, 2020

@jrb0001 Which server implementation?

@jrb0001

This comment has been minimized.

Copy link
Contributor Author

@jrb0001 jrb0001 commented Jan 2, 2020

@abmyii My own, fully independent, implementation which is used for the official SP and RV servers. Not all of them are already running on the new version yet so ping me on IRC if you want to know which ones you can use for verifying my claims.

@abmyii

This comment has been minimized.

Copy link
Contributor

@abmyii abmyii commented Jan 2, 2020

I don't use the IRC server. Could you provide a link to the server implementation?

@Mailaender

This comment has been minimized.

Copy link
Member

@Mailaender Mailaender commented Jan 2, 2020

I think you shouldn't use weird EU law to justify a code change, but rather submit your true dedicated server as a pull request, because it is technically an improvement.

@jrb0001

This comment has been minimized.

Copy link
Contributor Author

@jrb0001 jrb0001 commented Jan 2, 2020

The only difference relevant to this ticket between the official and my implementation is that my server omits the IpAddress field when serializing the client info. This doesn't cause any issues on the client side and looks like this:
grafik
If the country features is so important to you, just implement it on the server side.

@abmyii I never bothered to publish the git repo so it is only available to very few people. But as I already wrote twice in this ticket, anybody can ping me on irc to talk about anything not related to this ticket and I will reply as soon as I read it.

@Mailaender The implementation as a whole isn't "technically an improvement". It has some advantages but some features are not implemented at all (nobody from SP/RV uses them anyway) or simply work differently. Also I don't have the time nor motivation to do upstreaming work at the moment. But feel free to ping me on IRC if you are willing to do it.

@ghost

This comment has been minimized.

Copy link

@ghost ghost commented Jan 4, 2020

I think you shouldn't use weird EU law to justify a code change, but rather submit your true dedicated server as a pull request, because it is technically an improvement.

@Mailaender the GDPR is based on some simple principles that I don't consider "weird" at all. The core principles are transparency, purpose limitation and data minimisation. I'm not Facebook or Google but only a normal dude, so for me it's a win if everybody who wants to use data that can be used to identify me (in the meaning of "recognize") has to comply with these principles. It's a long road to establish these standards and everybody can decide for themselves if they want to lead by example or postpone the involved work until problems arise.

I already noted what i think would be sufficient to do for server owners (include the mentioned information in a new dialogue). The OpenRA maintainers should also inform about how they use personal data, mainly about connecting to the master server and which data is stored for which purposes etc. These are separate things, as the master server controller and game server controller can be different persons and act independently.

@reaperrr

This comment has been minimized.

Copy link
Contributor

@reaperrr reaperrr commented Jan 5, 2020

Just to throw in my 2 cents:
As someone who is considering to make and release a commercial game based on the OpenRA engine and (probably) doesn't have the coding skills to make the necessary changes to server code, I'd rather drop multiplayer support completely than ship with/connect to anything with the slightest chance of causing legal trouble.

In my opinion it's completely irrelevant whether we consider any laws weird or not, the only thing that should matter is what consequences it might have if we don't (fully) comply.

@Mailaender

This comment has been minimized.

Copy link
Member

@Mailaender Mailaender commented Jan 5, 2020

I believe it is as simple as emptying

IpAddress = ((IPEndPoint)newConn.Socket.RemoteEndPoint).Address.ToString(),

Apart from EU law it is actually bad practice to show player IP addresses because it offers an attack window: Start DDoSing your enemy, so they leave and you "win" the game.
https://arstechnica.com/gaming/2016/04/rainbow-six-siege-reportedly-reveals-your-ip-address-to-potential-attackers/ although I guess that problem exists mostly in theory, and I am not sure if hiding the IP there is enough.

@pchote

This comment has been minimized.

Copy link
Member

@pchote pchote commented Jan 5, 2020

#17529 (comment) should resolve this.

Originally posted by @pchote in #17534 (comment)

@jrb0001

This comment has been minimized.

Copy link
Contributor Author

@jrb0001 jrb0001 commented Jan 5, 2020

@Mailaender Doing that would break address based bans (which are useless against a determined attacker anyway). If you want to avoid that, then AttacqueSuperior@7b28b8b is the solution.

@Mailaender

This comment has been minimized.

Copy link
Member

@Mailaender Mailaender commented Jan 5, 2020

That code looks like it only changes things on the client side.

@jrb0001

This comment has been minimized.

Copy link
Contributor Author

@jrb0001 jrb0001 commented Jan 5, 2020

@Mailaender The field is skipped during serialization of the class and the class is used on both the client and the server side. Current AS master:
grafik

@Mailaender Mailaender added the Security label Jan 5, 2020
@wippie-openra

This comment has been minimized.

Copy link

@wippie-openra wippie-openra commented Jan 5, 2020

As an Implementation Consultant I deal with GDPR daily. GDPR does not mean you can’t use personal data, it means you can’t use more than necessary and you can’t store it for any longer than necessary. I would say in game use is fine but in replay files and server logs saving the IP address is doubtful. So basically, anjew is spot on.

I wouldnt worry about the fines. Ive seen governmental organizations get away with way, way, way worse. In Holland theres a famous case where a fine was awarded; a celebrity was rushed into the hospital, rumor was she tried to commit suicide. Lots of hospital employees accessed her file out of curiosity, violating her privacy.

@anjew175

This comment has been minimized.

Copy link
Contributor

@anjew175 anjew175 commented Jan 6, 2020

Start DDoSing your enemy, so they leave and you "win" the game

The same can be said for exposing the server IP. Start losing, just DDoS the server, everyone leaves and you 'win' the game

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
8 participants
You can’t perform that action at this time.