Posts made by faraday

@mietze said in Privacy in gaming:

Bans are almost always announced. The other stuff rarely is. Which does tie back to a certain part of privacy (not making every player's disciplinary strikes or problems public on game). Man, I feel like I should be proud of myself for staying OT.

This. For instance, I got a lot of flak on a game for "not doing anything" about a particular problem player, when in fact there was a series of escalating counselings/warnings/etc. happening behind the scenes. They just weren't broadcast to the world, nor do I think they should have been. It wasn't until the person was banned that everyone was like: "Yes! Finally she did something!"

If the problem is bad enough that the person doesn't belong in your community, then you ban them. Otherwise I think rehabilitation is more productive than punitive actions.

@Arkandel said in Privacy in gaming:

Every conversation, personal or over a channel, is permanently logged.

One also has to consider the technology involved. We're so used to ancient MUSH tech with its live-telnet feed, but that's just not how virtually anything else works these days. WoW, forums, slack/discord, storium, Facebook messenger, gmail... they all store all conversations too. It's not because the admins are trying to (or even want to) snoop on everything, it's because that's what you need to do on a technical level to enable asynchronous communication. We should be careful not to subscribe suspicion or malice to a purely technical necessity. (Not that you were -- just making a general comment.)

@Pandora said in Privacy in gaming:

This isn't an exercise in trying to convince anyone that they need to embrace the joy that is an omnipresent staff, I'm just wondering if there is any angle I personally am not looking at, in terms of privacy, that should make me less open to the idea of staff seeing everything. Thus far, that's a no.

I'm similarly not trying to convince you that having an omnipresent staff makes the game evil, as long as players know what they're getting into. Certainly on most MUs players don't go into it thinking that staff is going to be monitoring literally everything as a matter of course. I think that's why there was such a big disconnect between you and @Derp, because Derp's talking about "private spaces" on a game (a fairly common concept in MUs) and you're talking about a game where that's a concept that doesn't exist.

But I don't think you can get away from the fact that actual harm has come from staff snooping on things that were meant to be private. From extreme examples of doxxing, stalking and spamming to the more everyday cases of drama, hurt feelings, and in-game cheating. These things have happened with reasonable frequency. That's why so many folks are touchy about it, even beyond the philosophical "privacy is a right" arguments.

@Pandora said in Privacy in gaming:

If it's not too much trouble, can someone give me an example from either the second or third category (or both if something comes to mind) of something you imagine that you or another hypothetical player would feel violated about if you found out staff had read it?

As others have pointed out, who feels 'violated' by what is an intensely personal thing, rooted in moral and philosophical beliefs as much as anything.

Whether you buy into that or not, it's pretty easy to speculate instances where such behavior could be problematic, just on a practical level.

One can imagine an admin gaining an unfair advantage for their own PC through OOC knowledge snooped from a private log.

Or becoming privvy to personal OOC details that were not meant to be shared beyond the person they were told to (off-game contact info, family drama, illness, work situations, anxieties, love life, etc.). Even worse if the snooping admin then shares that info with others. The fact is that this info has been abused by nefarious admins in the past, so it's not just a hypothetical concern.

I put together a general privacy article for Ares games if anyone's interested. (Feel free to send me any comments on things I've missed, explained poorly, etc.)

In the next patch it'll be available on the games themselves in 'help privacy'.

@L-B-Heuschkel said in Privacy in gaming:

I can definitely imagine uses for private scenes that are not sexual in nature, just that you don't want everyone to barge in at random.

Yeah a lot of people use them for scenes that are just limited in scope - a gathering at your apartment, a private conversation in the restaurant, a meeting with your boss, a flashback scene, slow scenes like @Auspice mentioned, etc. Or for people like me who just get overwhelmed in big scenes and prefer to limit the number of players. Many of them even get shared afterward, they're just not 'open' while they're happening.

But in terms of privacy, the idea is that staff shouldn't be able to just drop in on or snoop on private scenes. Out of the box, Ares provides no method to do so for regular admins. You'd need someone with headwiz or coder powers to go digging through the database, or someone modifying the hardcode, or setting up a key logger, or something like that.

@gryphter said in Privacy in gaming:

@Sunny That's very interesting. I guess I need to think a little deeper about our supposed doom. Perhaps I'm just being a little too cynical.

This might be useful to you: COPAA Regulation Applicability. @Sunny is right - if you're not deliberately targeting the app/site to kids under 13 and you don't have specific knowledge that there are kids on your site, you're generally pretty safe. (again with the IANAL disclaimer) Slapping an 18+ notice on the terms of service helps too.

@Sunny Then we disagree. That's fine.

I will agree with you that "our hobby cannot coexist with the laws" (paraphrased) is not accurate. The privacy laws are mostly about transparency and informed consent. Tell people what data you collect, how you're going to use it, and how you're going to protect it. This doesn't have to be a novel, and "staff may review anything at any time" is a perfectly valid policy (see: Blizzard) as long as people are informed and consenting to it.

@Sunny said in Privacy in gaming:

No PII is involved in a mush. Your IP does not, in most cases, qualify as PII, as it identifies a computer, not a person. So, uh, yeah.

If we're getting technical about it. From the GDPR:

Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags.

Though there's some debate on the subject when it comes to dynamic IPs. Also many games require or allow you to store your email address for idle notifications/password retrieval/etc., which is most assuredly PII. There's also the potential for PII to be included in mails, pages, etc. which one might argue players would have a reasonable expectation of privacy for (unlike public scenes or channels).

ETA: For example: I send a mail to my buddy with my RL name, address, phone number, whatever. One can debate the wisdom of that, but one cannot debate that it happens.

@gryphter said in Privacy in gaming:

Does it matter what the intended use is? For example, what if it's staff's policy on an Ares game to monitor public scenes so they can delight and amaze by GMing into them at random?

Not to sound like a broken record, but that's why it's so important for games to have a privacy policy/statement, to set those expectations.

From a purely technical standpoint, "open" scenes in Ares are just that - open for any and all to watch and join. "Private" scenes can only be joined and viewed by those you invite. There is no admin level command to spy on a private scene (i.e. you can't just open it or go dark and hop in), but as we've said before - there is nothing to stop nefarious admins from packet sniffing or digging into the database, or changing the hardcode so they can view everything, on Ares or any other MUSH.

@WildBaboons You're right, a Wendys was not the best example, forum software would be a better one. The privacy regulations (HIPAA, GDPR, etc.) are geared around protection of private personal information. If you're broadcasting your name, email, health information for all the world to see - you're choosing to make it public. That's not a privacy violation the site is responsible for.

@WildBaboons said in Privacy in gaming:

you're discussing your health history on an Ares chat channel that's posted in the channel history to a webpage

Not likely in that specific instance, because you're doing the disclosure yourself in a public forum. It would be no different that talking about your diabetes to your buddy in the line at Wendys. Wendys isn't responsible for who might overhear.

But a staffer snooping on a page convo and then gabbing about your diabetes would be more problematic.

ETA: I agree with your general point about having a privacy policy though - I said so earlier as well.

@Arkandel said in Privacy in gaming:

It's fair to argue most people would find the idea of being recorded without their knowledge in a house they're visiting to be disturbing, creepy or at least frown on the idea of such a practice.

Would they? Judging by the trends in smart home security cameras, I think we're on our way to an era where being recorded in someone's home is as much a presumed non-event as knowing that I'm on camera when I walk into Wal Mart.

If you're not talking about laws, though, you're talking about social norms. And judging from the replies on this thread, there is quite a bit of variance in what players expect.

@Arkandel said in Privacy in gaming:

If you're having a private conversation I can't use preinstalled microphones you don't know about to record it just because you're under my roof

You say "can't" there, so I presume you're referring to laws. Otherwise what's to stop you?

But federal wiretap laws revolve around the idea of whether there's a "reasonable expectation of privacy" with the thing being recorded. (Disclaimer: I am not a lawyer.) Two people chatting in my living room without me being present? Yeah, they probably reasonably expect privacy.

But two people chatting on this forum's direct message software? I don't think that same expectation exists because we know the conversation is being saved in a database somewhere and could be viewed. Two people chatting on Blizzard's WoW guild chat? The expectation definitely doesn't exist because it's right there in the terms of service saying "chat logs are recorded and subject to review."

I don't think it's as black and white as you're making it out to be.

@Thenomain said in Privacy in gaming:

If I leave my house unlocked, you are still trespassing if you enter it uninvited.

I think this is the wrong analogy for a MU.

It's more like... If you come into my house for a party and I have a security system.

Is it unethical for me to monitor my home? Of course not. The ethics are around how I gather and use that footage.

Creeping on people in the bathroom? Eeew. Clearly awful.

Reviewing the footage from a particular night to verify Jane's tale when she claims that John assaulted her? I think that's perfectly valid.

Combing through footage of guests at a party and eavesdropping on conversations they presumed were private? That's just a jerk thing to do, even if it is your house.

@Ghost said in Privacy in gaming:

Do most MU-providers run on HTTPS and have certs? I wonder if their CA cert would allow the games on their servers to fall under the umbrella of that cert.

In my experience, it's not that simple. The MU server process will need access to the actual server certificate file, and those are usually locked down to root. There's a complicated dance I had to go through for Ares to make that work, and it still requires sudo access (which you aren't likely to get on a traditional MU provider). Also, depending on the way the cert is set up, it wouldn't apply to sub-domains. mymush.somewhere.com doesn't automatically get to piggyback off of somewhere.com's certificate.

@L-B-Heuschkel said in Privacy in gaming:

They're both very important discussions, but they are not interchangeable at all.

I would argue that there are several separate topics at play here:

• What can be done on a tech level to better protect the transmission and storage of data (e.g. @Ghost's SSL stuff, talking about database security, etc.)
• What can be done by ethical staff to establish solid privacy practices to protect themselves and their players.
• What can be done to guard yourself against unethical staff snooping without any justification and/or abusing your private data (IP, email, any info gleaned from OOC chatter or RP) for their own ends.

It's good to remember that the latter problem exists, but we're not going to get much mileage out of it. As @Derp points out there's precious little you can do beyond leave.

@Alamias said in Privacy in gaming:

I wouldn't hate it if MU's moved to a different more secure port. I don't know why it hasn't moved up with the times to use a more secure connection.

Double post because I missed this while replying to the other one...

A big reason is barrier to entry. Setting up a SSL certificate and getting the server settings right is not trivial. You have to remember that most folks running MUs are not professional server admins. I've made it as easy as I can to set up HTTPS for the Ares web portals, but it still trips people up sometimes. Also I'm not sure all MU clients even support it, so you still have to provide the insecure port as well.

@Ghost Yeah I am definitely not a privacy lawyer or anything, so I can't comment on potential liability. But I think that in today's tech/privacy climate, MU owners should protect themselves and their players. That means having a policy for what data is collected and how it can be used, and ensuring that other staffers follow that policy.

@Ghost said in Privacy in gaming:

Telnet is the current MU standard, replaced in every other industry by SSH around 2005 due to horrific vulnerabilities.

SSH won't protect you from the game owners snooping though. It falls into the same vein of Gmail employees reading your emails, Discord employees snooping on your juicy gossip, or Ark & company here on MSB choosing to sell our emails. The only thing really stopping them from doing so is their own internal policies. That only goes so far.

The GDPR theoretically applies to MUs and provides some data protection "rights", but good luck getting that enforced. Or even understood.

I think that any reputable MU should have a privacy policy and informed consent via some sort of 'terms of service' acknowledgement. While I don't think it needs to be as elaborate as, say, Blizzard's Privacy Policy, it should set expectations. Blizzard is very up-front that chat logs, etc. ARE logged and subject to review for abuse and whatnot. That doesn't stop people from playing WoW.

The difference between Blizzard and your average MU is accountability. If some Blizzard employee is discovered getting their jollies by snooping on random chat convos, they're going to get fired. We lack that accountability on MUs because - as someone pointed out on the other thread - MU players generally tolerate that kind of nonsense and continue playing even after such abuses are 'outed'.

@Jeshin said in Privacy in gaming:

I still just assume every command I enter include quit and RP posts gets saved to a runlog somewhere even though I've been assured in multiple threads that isn't how things work in MUSH circles.

It can be. Even if the game server doesn't let you turn on full command logging with a switch, it can be done. Bottom line: if you're sending data to the server, then the owner of the server has access to the data. It's what they're gonna do with it that's the interesting question.

@Thenomain genesismuds, thirdhosting, mudmagic... there are a bunch of them.