Privacy in gaming
-
I am going to repeat myself here because the point seems to have gotten missed in the rest of what I said:
I do not care about my privacy because I am worried about someone reading my pages and mail, or watching my TS. I don't have anything to hide, I don't share stuff I care about being seen, etc.
I care about my privacy for my privacy's sake, because I value it.
-
A conversation in line at Wendy's isn't (probably) recorded and archived for who knows how long. but Ares also logs And archives Page conversations. not to pick on Ares, it's awesome and those features are awesome but Privacy is the topic at hand.
But yeah, privacy policy! State it, repeatedly. Even "you have no expectation of privacy when you log in" works. Just let people know what they're getting in to.
-
@WildBaboons You're right, a Wendys was not the best example, forum software would be a better one. The privacy regulations (HIPAA, GDPR, etc.) are geared around protection of private personal information. If you're broadcasting your name, email, health information for all the world to see - you're choosing to make it public. That's not a privacy violation the site is responsible for.
-
Does it matter what the intended use is? For example, what if it's staff's policy on an Ares game to monitor public scenes so they can delight and amaze by GMing into them at random?
Now what if they do the same thing, but with private scenes? A private scene isn't necessarily a TS scene, just one you don't want any uninvited players to join. Would you want a way to demarcate those? One could always be politic and call the flag 'No GM', even though we'll all know it really means 'TS'.
-
I'm not a privacy lawyer, I'm just advised by them. And like Wendy's maybe a public chat channel wasn't the best example but these sorts of laws and regulations are still new and in a lot of cases untested. We could totally derail this thread to talk about GDPR and the CCPA and who knows what else but the point is that privacy is a thing. people expect it, the law in some cases and jurisdiction requires it.
I totally may steal this thread and turn it into a talk at the next IAPP summit.
-
I think often we don't pull some of these threads because we sense that the correct application of the law would annihilate our hobby's ability to exist. It's doubtful we would be able to satisfy the requirements of the law, if the law deigned to truly care, in more than one area.
Right out of the gate the glaring lack of protection for PII and the equally glaring lack of vetting and accountability for those that can access it.
-
@gryphter said in Privacy in gaming:
Does it matter what the intended use is? For example, what if it's staff's policy on an Ares game to monitor public scenes so they can delight and amaze by GMing into them at random?
Not to sound like a broken record, but that's why it's so important for games to have a privacy policy/statement, to set those expectations.
From a purely technical standpoint, "open" scenes in Ares are just that - open for any and all to watch and join. "Private" scenes can only be joined and viewed by those you invite. There is no admin level command to spy on a private scene (i.e. you can't just open it or go dark and hop in), but as we've said before - there is nothing to stop nefarious admins from packet sniffing or digging into the database, or changing the hardcode so they can view everything, on Ares or any other MUSH.
-
No PII is involved in a mush. Your IP does not, in most cases, qualify as PII, as it identifies a computer, not a person. So, uh, yeah.
-
@Sunny I'll give you that, but it's close enough that I have an interest in how it's being protected.
-
Obviously. But I vehemently disagree that 'proper application of the law and our hobby wouldn't exist' is accurate. That's absolute nonsense, especially if the basis for that is PII, when there is no PII.
ETA: I mean seriously with a claim like that? Citations needed.
-
@Sunny said in Privacy in gaming:
No PII is involved in a mush. Your IP does not, in most cases, qualify as PII, as it identifies a computer, not a person. So, uh, yeah.
If we're getting technical about it. From the GDPR:
Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags.
Though there's some debate on the subject when it comes to dynamic IPs. Also many games require or allow you to store your email address for idle notifications/password retrieval/etc., which is most assuredly PII. There's also the potential for PII to be included in mails, pages, etc. which one might argue players would have a reasonable expectation of privacy for (unlike public scenes or channels).
ETA: For example: I send a mail to my buddy with my RL name, address, phone number, whatever. One can debate the wisdom of that, but one cannot debate that it happens.
-
Email is PII, but 'email' is not a requirement for mushing as a hobby, it is game specific policy. I disagree that in the context of mushing an IP would be by law considered PII, as the context mattering is why your quote says 'may' rather than stating it's an absolute.
ETA: Yes, but the fact that it happens does not mean that a mush is legally obligated to some sort of care as to who can access the staff side stuff.
-
Perhaps the goal, then, is not to establish some wide-ranging privacy policy, but to educate the masses on exactly what it is staff can do.
-
@Sunny I'm not invested enough in the point to research a bunch, especially when I'd rather be wrong. It's just my sense that there are a lot of areas where we might be found lacking, such as protection of minors. I say this as someone who once was a minor who failed catastrophically to be protected from a bunch of wild shit on internet text games. No ragerts, but probably not ideal, and as an adult I sure as hell don't want to explore certain themes with a child. To solve a problem like that in any kind of real way we'd have to start verifying who it is that connects to a game.
-
@Sunny Then we disagree. That's fine.
I will agree with you that "our hobby cannot coexist with the laws" (paraphrased) is not accurate. The privacy laws are mostly about transparency and informed consent. Tell people what data you collect, how you're going to use it, and how you're going to protect it. This doesn't have to be a novel, and "staff may review anything at any time" is a perfectly valid policy (see: Blizzard) as long as people are informed and consenting to it.
-
@gryphter Not to engage in a bunch of whataboutism, but the entire internet is terrible at protecting minors. It would be almost impossible to prove that a person is an adult, or indeed who they claim to be, over the internet. I certainly think that providers of services have some level of responsibility to do what they can, but protecting minors should be, primarily, the role of the parent or guardian.
-
@Tinuviel To continue that achingly dull point, I definitely think part of the privacy issue needs to rest in the hands of players. Though it's a rather banal statement, if you don't have control of it assume someone can access anything you send over it. It's a common joke that the NSA or whoever is watching everything, that should prompt people to be more circumspect in what they say when they're on someone else's service - be it a game, social media, whatever.
-
Those are different issues. They have nothing to do with this. The short answer is that games are not legally obligated to care if kids lie. If the game becomes aware that a child is present that has lied to be there, via an IAgree, the game IS legally obligated to care, and to remove them if they are discovered. If it is an 18+ game.
I discovered a 17 year old on my game once upon a time. I talked to legal help VERY QUICKLY. Amusingly enough, I was able to obtain written permission from his mother to allow him to be there, we took some precautions, and everyone won. Legally tho, because of how it works, we generally can't be held liable if they lie.
-
@Sunny That's very interesting. I guess I need to think a little deeper about our supposed doom. Perhaps I'm just being a little too cynical.
-
@gryphter said in Privacy in gaming:
@Sunny That's very interesting. I guess I need to think a little deeper about our supposed doom. Perhaps I'm just being a little too cynical.
This might be useful to you: COPAA Regulation Applicability. @Sunny is right - if you're not deliberately targeting the app/site to kids under 13 and you don't have specific knowledge that there are kids on your site, you're generally pretty safe. (again with the IANAL disclaimer) Slapping an 18+ notice on the terms of service helps too.