ESO Logs consent is not GDPR Compliant. Very promising.

Elwendryll

First of all, I love the esolog system. It's really cool, and I'm looking forward to using it.

I'm an apprentice engineer in IT. So I study in an engineering school, and I work in an IT services company.
I've had courses on the law aspects of IT, including GDPR (With a lawyer specialized in this field), and a formation on GDPR dispensed by my company.

So, I'm not an expert, but I'm not guessing anything, it's what I've been taught by experts.

Some actual experts in this thread have already stated that this website is indeed not GDPR compliant.

Any data that allow to identify an individual is personal data. You only need a nickname or an IP address. You don't even need your email or your real name, it's irrelevant. As long as you can say "Oh, that's the same DD here" between two parses uploaded by two different people, it means that's the aforementioned DD is "identified". Just look at the forum, you can read all my posts, and if I post a new comment, you can associate it with all my previous comments, my opinions, and everything I've shared about myself here. You don't even necessarily know my name, my age, my address, or my IP address, my username is enough to identify me, and can be considered personal data. Any piece of information that allows you to attribute to the same entity two samples is personal data.

The whole log system is not GDPR compliant, it should be fixed, and it has nothing to do with if the system itself should stay or not. I personally find it awesome. It doesn't take much to make it GDPR compliant, and that's not really complaining, that's a statement. I personally don't care for my personal usage, it just doesn't comply to the EU regulations, yet.

On ZOS side, the first step should be to set all accounts on anonymous by default, and display a message informing people that logs about their character may be recorded and used on a third party website.

VaranisArano

WeerW3ir wrote: »

There is one huge difference. With the new tool. they can track your activity in game. even if you hide yourself. the game will say youre anonymus. and lets see. if there is a trial. and from 12 member. only youre the anonymus. then it will end up the same. they will know youre.

That's not a huge difference from being in a group where everyone posts their Combat Metrics parse, you don't, and everyone figures our your DPS anyways. ZOS allows that situation.

So being able to be identified with Combat data via extrapolation is not a good reason to oppose ESO Logs. That already can happen.

DjMuscleboy02

anitajoneb17_ESO wrote: »

zTrok wrote: »

Not sure what the fuss over this whole thing is. The logs are going to be super helpful as a raid lead, and I'm pretty sure the pugs in a fungal grotto 1 won't care that you can't do more than 10k dps, so what's the issue?

Doesn't have to be about DPS.
Let's see John, student and ESO player. John has a very nice girlfriend, a lot of stuff to study for his studies, and enjoys playing ESO. Now there's this group raid on thursday night with his guild. And Jane - she's the girlfriend - wants to go out somewhere. Now John tells Jane that he has an important exam on friday morning, promises to study a lot and to go to bed early, kisses her good night and sits comfortably in front of his PC and prepares for raiding. Everything is fine, until the next morning, Jane sees the raid log on esologs...
I'm not sure that scenario takes so much weed to imagine. It's everyday stuff really. The part where the log says exactly what you've been doing in the game and when is already a problem.

This is undoubtedly the stupidest post I've seen on forums in months. But I'll humor this. This entire "argument" is based around the fact that "John" lies to his girlfriend. Perhaps he should just tell her that he has a commitment he's made and if she doesn't respect that, then that's her problem. I really do not see how this is even remotely relevant.

jainiadral

To be perfectly honest, I don't really care what basis is used to ensure that "anonymous" is enabled by default. If it's GDPR, Canadian privacy protections, the arcane chantings of the Oracle at Delphi, common decency, whatever, it's all good in my books. So long as that happens, ESO Logs and I are hunky-dory

VaranisArano

Flares wrote: »

anitajoneb17_ESO wrote: »

Jhalin wrote: »

Law only applies to your data, which this isn’t. You agreed none of the data on the account belongs to you. You have zero ownership and thus, zero claim to any infringement on “your” data. @ names aren’t linked unless you sign up for the site so you can’t even try to argue it that way. There is nothing that could reasonably be construed as sensitive information

GDPR says otherwise. GDPR trumps TOS. Pseudonyms are private data. That's all there's to it. Deal with it.

How much of a casual you have to be to go after the best thing that ever happened to eso. Just don't participate in the content and you won't get parsed. People didn't care about you before, they certainly won't care now

Hmmmm, not quite.

Casual, hardcore, new, returning, or anything in between type player, we've seen from one of the tests that if you are in a group or even nearby someone who is logging an encounter, then your data gets included in the log's text file. Certainly if you are in a group with the logger, and that log is uploaded, your data will be included in the log on ESO Logs in the parse.

By default, that log txt file includes @name and Character ID, while the displayed log shows your Character ID.

Only if you check a box to be anonymous under Combat Settings is your @name and Character ID hidden.

So there's no guaranteed way for you not to wind up in someone's log txt file unless you never play the game. There's no veto to not have your random normal dungeon logged and uploaded. The only option players have is to set themselves to Anonymous - and that's not the default in game option.

anitajoneb17_ESO

DjMuscleboy02 wrote: »

This is undoubtedly the stupidest post I've seen on forums in months. But I'll humor this. This entire "argument" is based around the fact that "John" lies to his girlfriend. Perhaps he should just tell her that he has a commitment he's made and if she doesn't respect that, then that's her problem. I really do not see how this is even remotely relevant.

So if I don't want my neighbour to look at my kitchen through the window, I should get rid of my kitchen, or of my neighbour, but not shut the window...

DjMuscleboy02

anitajoneb17_ESO wrote: »

DjMuscleboy02 wrote: »

This is undoubtedly the stupidest post I've seen on forums in months. But I'll humor this. This entire "argument" is based around the fact that "John" lies to his girlfriend. Perhaps he should just tell her that he has a commitment he's made and if she doesn't respect that, then that's her problem. I really do not see how this is even remotely relevant.

So if I don't want my neighbour to look at my kitchen through the window, I should get rid of my kitchen, or of my neighbour, but not shut the window...

You should elect to put blinds up. Try again.

anitajoneb17_ESO

DjMuscleboy02 wrote: »

You should elect to put blinds up. Try again.

This is exactly what we're asking for. A complete opt-out option - or at the very least, the "anonymous" status to be the default status.

DjMuscleboy02

anitajoneb17_ESO wrote: »

DjMuscleboy02 wrote: »

You should elect to put blinds up. Try again.

This is exactly what we're asking for. A complete opt-out option - or at the very least, the "anonymous" status to be the default status.

Perfect, you can chose to be anonymous! Glad we've worked that out.

xMovingTarget

anitajoneb17_ESO wrote: »

DjMuscleboy02 wrote: »

You should elect to put blinds up. Try again.

This is exactly what we're asking for. A complete opt-out option - or at the very least, the "anonymous" status to be the default status.

In your example, blinds are set to anonymous. Full opt out would be move your house to where you don't have a neighbor.

VaranisArano

DjMuscleboy02 wrote: »

anitajoneb17_ESO wrote: »

DjMuscleboy02 wrote: »

You should elect to put blinds up. Try again.

This is exactly what we're asking for. A complete opt-out option - or at the very least, the "anonymous" status to be the default status.

Perfect, you can chose to be anonymous! Glad we've worked that out.

That works for every player who knows where the box is to check it to become anonymous, so that their character ID isn't attached to someone else's log.

Being anonymous isn't the default, which means there's a pretty good chance that plenty of new and returning players won't know they have to check the box if they want to be anonymous.

Most analogies break down when pushed hard enough, so I'mma steer clear of the blinds/windows analogy. Especially since everyone presumably knows its possible to shut your blinds if you want privacy.

anitajoneb17_ESO

DjMuscleboy02 wrote: »

anitajoneb17_ESO wrote: »

DjMuscleboy02 wrote: »

You should elect to put blinds up. Try again.

This is exactly what we're asking for. A complete opt-out option - or at the very least, the "anonymous" status to be the default status.

Perfect, you can chose to be anonymous! Glad we've worked that out.

Nope, you still don't get it. (You probably would if you weren't so eager to jump at someone's throat all the time without listening to anything they have to say).

I'm not happy with choosing to be anonymous. Everyone should be anonymous until they choose to appear. Not the other way around.

xMovingTarget wrote: »

In your example, blinds are set to anonymous. Full opt out would be move your house to where you don't have a neighbor.

You're taking my "example" out of context. It was meant to explain why people concerned with privacy don't all have to be "filthy casuals wishing to hide their DPS" and that the reasons might be entirely unrelated to their performance ingame. And that nobody gets to judge someone else's privacy concerns.

pelle412

I have no problem with anonymous being default, but having said that I'd then want an in-game indicator of which players in my group is set to anonymous so we can address that before content progression and time isn't wasted.

Nebthet78

Jhalin wrote: »

Reistr_the_Unbroken wrote: »

ryzen_gamer_gal wrote: »

One more try.

The legal argument will come down to who is and isnt a natural person.

Your named character isnt a natural person.

Even though you may qualify as a natural person (or who knows, maybe legally you dont qualify)


See the real problem now?

Well see here, the the named character is possibly still under a console username or email address soooo...

Which are inaccessible except to those you give access via the guild membership system used on that site, if you never join the site you’ll never have your @ name attached to the characters

My @name might not be available through the website... but it was proven on here, that your @name is available in the logs themselves. And for those who know how to read the logs and that information, they will have it whether or not they use the website because they were able to save my personal data to their computer, without my meaningful consent.

That, is just as big of an issue as handing that information off to a Third Party website, and why a lot of people don't want the logs to even be recorded without their permission, especially if it records you not only by being in a group, but by being in the area near the person recording.

anitajoneb17_ESO

pelle412 wrote: »

I have no problem with anonymous being default, but having said that I'd then want an in-game indicator of which players in my group is set to anonymous so we can address that before content progression and time isn't wasted.

Wouldn't simply asking in voice chat or group chat address that issue in a more straightforward manner ?

pelle412

anitajoneb17_ESO wrote: »

pelle412 wrote: »

I have no problem with anonymous being default, but having said that I'd then want an in-game indicator of which players in my group is set to anonymous so we can address that before content progression and time isn't wasted.

Wouldn't simply asking in voice chat or group chat address that issue in a more straightforward manner ?

One would think, but in practicality it's imprecise. I have done exactly that for various things and sometimes it works and sometimes it doesn't. Objective information is better.

ZOS_RogerJ

Greetings! Just a friendly reminder, to keep the thread civil, constructive and on-topic. Remember, it’s okay and very normal to disagree with others, and even to debate, but provoking conflict, baiting, inciting, mocking, etc. is never acceptable in the official The Elder Scrolls Online community.

DjMuscleboy02

VaranisArano wrote: »

DjMuscleboy02 wrote: »

anitajoneb17_ESO wrote: »

DjMuscleboy02 wrote: »

You should elect to put blinds up. Try again.

This is exactly what we're asking for. A complete opt-out option - or at the very least, the "anonymous" status to be the default status.

Perfect, you can chose to be anonymous! Glad we've worked that out.

That works for every player who knows where the box is to check it to become anonymous, so that their character ID isn't attached to someone else's log.

Being anonymous isn't the default, which means there's a pretty good chance that plenty of new and returning players won't know they have to check the box if they want to be anonymous.

Most analogies break down when pushed hard enough, so I'mma steer clear of the blinds/windows analogy. Especially since everyone presumably knows its possible to shut your blinds if you want privacy.

Honestly, it's not ZOS' responsibility to inform new and existing players of every facet of the game. They have announced the tool, posted many resources as reference, and even mentioned it on live streams. Ignorance is not a valid reason, all the information is readily available. In this regard, possibly mentioning it as a loading screen tip, or maybe for a time period as you scroll through the announcements when first logging in would resolve an issue of ignorance.

anitajoneb17_ESO wrote: »

DjMuscleboy02 wrote: »

anitajoneb17_ESO wrote: »

DjMuscleboy02 wrote: »

You should elect to put blinds up. Try again.

This is exactly what we're asking for. A complete opt-out option - or at the very least, the "anonymous" status to be the default status.

Perfect, you can chose to be anonymous! Glad we've worked that out.

Nope, you still don't get it. (You probably would if you weren't so eager to jump at someone's throat all the time without listening to anything they have to say).

I'm not happy with choosing to be anonymous. Everyone should be anonymous until they choose to appear. Not the other way around.

Oh I read what you had to say, that's a bold assumption. I'm happy to hear what you have to say, provided you give a sound argument that the ESO logs are a problem. Although, I think we'll simply disagree on what constitutes a "problem."

This idea that it will breed toxicity is simply untrue. As it currently stands, there are plenty of tools these "elitists" can use to tell how much damage a specific group member is doing. It's not very hard to deduce. Regarding that aspect, nothing will change. What will change, however, is the tools available to people who are actually trying to be constructive. That is where these ESO tools will be advantageous.

Alinhbo_Tyaka

DarcyMardin wrote: »

anitajoneb17_ESO wrote: »

Mudcrabber wrote: »

None of the logs will show up in Google. That used to be good enough for most.

https://www.esologs.com/robots.txt

User-agent: *
Disallow: /zone/
Disallow: /guild/
Disallow: /character/
Disallow: /reports/
Disallow: /server/

Does the GDPR have any safeharbor exceptions, where responsibility falls on the uploader instead of the service host? Sites like YouTube or Reddit could not function if they were personally responsible whenever someone's username was mentioned in a bad light.

I'm sorry but the "robot" thing doesn't make sense to most of use (unless I'm much dumber than most). Care to explain / elaborate a bit ?

This is simply an answer to the robot question, from someone who has been an expert witness in US federal court on search engine technology:

A robot, in this sense of the word, is a software program that follows links across the web and indexes the material on the pages where it lands to be stored in various databases. The database being referred to by the original poster is Google—which indexes just about everything posted on the web unless it is ordered not to do so. Website developers can set up “do not index” command on their websites, and what the poster brought up was exactly this—the third party website where the ESO logs are being stored is currently ordering any robots who visit the site not to index the items that are above listed as “disallowed.”

What this means is that any info that fits into those listed variables will not show up in a Google search. Or in a search on any other search engines.

Whether this provides sufficient privacy is another matter entirely.

Right but it is all on the honor system just like do no track in a web browser request. Nothing can stop the robot from ignoring the request and indexing the items anyway. I use to participate in the IETF back in the 90's and these types of ideas came up frequently from the academic side of the house where people trusted other people in following the rules. Those of us from the business side usually shook our heads knowing the real world is more like if you give them the means they will use it right or wrong.

Alinhbo_Tyaka

RANKK7 wrote: »

Kittenhood wrote: »

@RANKK7
That 'cookies' message on ESOLogs has always been there in some form or fashion.


(...) it also serves no purpose other than the spread of misinformation by the OP (Original Poster).

In some form or fashion is not GDPR compliant but you may contact www.cookielaw.org or www.itgovernance.eu and tell them they are "misinformed" at this point because:

Implied consent is no longer going to be compliant. There are several reasons for this. Mainly it’s because the GDPR requires the user to make an ‘affirmative action’ to signal their consent. Simply visiting a site for the first time would not qualify. So loading up your landing pages with cookies in the hope people won’t opt-out, won’t wash.

Advice to adjust browser settings won’t be enough. The GDPR says it must be as easy to withdraw consent as give it. Telling people to block cookies if they don’t consent would not meet this criterion. It both difficult, ineffective against non-cookie based tracking, and doesn’t provide enough granularity of choice.

‘By using this site, you accept cookies’ statements will not be compliant. If there is no genuine and free choice, then there is no valid consent. Also people who don’t consent also cannot suffer detriment, which means you have to provide some service to those who don’t accept those terms. Which also means…

Sites will need an always available opt-out. Even after getting valid consent, there must be a route for people to change their mind. Again this comes down to the requirement that withdrawing consent must be as easy as giving it.

Soft opt-in is likely the best consent model. This means giving an opportunity to act before cookies are set on a first visit to a site. If there is then a fair notice, continuing to browse can in most circumstances be valid consent via affirmative action. Although see above about a persistent opt-out route. This however may not be sufficient for sites that contain health related content, or other sites where the browsing history may reveal sensitive personal data about the visitor. Then it may require explicit consent, a higher bar to get over.

You need a response to Do Not Track browser requests. A DNT:1 signal is a valid browser setting communicating a visitor preference. It could also be interpreted by regulators as an exercise of the right to object to profiling.

Consent will need to be specific to different cookie purposes. Sites that use different types of cookies with different processing purposes will need valid consent mechanisms for each purpose. This means granular levels of control, with separate consents for tracking and analytics cookies for example.

I've been the webmaster of a personal website, I spent rawly 3 days to get my things straight about a GDPR compliant consent at the time, reading documentation around, analyzing the cookies on the site, building a compliant consent with opt out options, and there are templates to use as base.

You can inform yourself in those sites and there is plenty of other reference sites for platforms superusers and small sites webmasters, the documentation around is massive.

This thread is simply about:

the site that should hold our data (@ZOS would you care to tell us which ones in details and to which extend? Since not everyone is able or have the time to analyze logs and transparency is needed and this is up to you), so that site currently don't have a GDPR compliant consent for cookies and it's not promising at all, it's a basic thing to have.
It's something that can be added at any time and hopefully will be added.

Then there is the part about the data shared from the game but it's obscure for me and for many and I think @ZOS should come out clear and straight about this and explain how the whole data sharing/storing is going to get managed since they are providing support for this.

It doesn't matter. ESOlogs does not have a business entity in the EU and from everything I've seen their website is not hosted in the EU. Therefore GDPR compliance does not apply to the website. The EU cannot enforce laws outside of its boundaries and as the US, much to my chagrin, does not have any data privacy laws US based websites are pretty much free to do what they want. Your only recourse to attempt to get redress under GDPR is to put the responsibility on ZOS and EOS for making the interface available.

Hallothiel

@Alinhbo_Tyaka

But the EU server is based in the, er, EU.

Alinhbo_Tyaka

Hallothiel wrote: »

@Alinhbo_Tyaka

But the EU server is based in the, er, EU.

Esologs website is not hosted in the EU and is owned by an LLC located in Texas based on the records I can find. The ESO game has servers in the EU and it is the game that sends the information to esologs. This why I have said it does not matter whether the esologs.com website complies or does not comply with GDPR as they are not in the EU. The only recourse is through ZOS not sending the information without permission to a non-compliant website since they do business and have servers located in the EU.

Ogou

Alinhbo_Tyaka wrote: »

Hallothiel wrote: »

@Alinhbo_Tyaka

But the EU server is based in the, er, EU.

Esologs website is not hosted in the EU and is owned by an LLC located in Texas based on the records I can find. The ESO game has servers in the EU and it is the game that sends the information to esologs. This why I have said it does not matter whether the esologs.com website complies or does not comply with GDPR as they are not in the EU. The only recourse is through ZOS not sending the information without permission to a non-compliant website since they do business and have servers located in the EU.

Except ZOS does not send any information to esologs, they just give players access to the logs on their computer and those players can upload it anywhere they want. So that won't work either.

Alinhbo_Tyaka

Ogou wrote: »

Alinhbo_Tyaka wrote: »

Hallothiel wrote: »

@Alinhbo_Tyaka

But the EU server is based in the, er, EU.

Esologs website is not hosted in the EU and is owned by an LLC located in Texas based on the records I can find. The ESO game has servers in the EU and it is the game that sends the information to esologs. This why I have said it does not matter whether the esologs.com website complies or does not comply with GDPR as they are not in the EU. The only recourse is through ZOS not sending the information without permission to a non-compliant website since they do business and have servers located in the EU.

Except ZOS does not send any information to esologs, they just give players access to the logs on their computer and those players can upload it anywhere they want. So that won't work either.

It will if ZOS provides a player option to not log at all.

Jeremy

Alinhbo_Tyaka wrote: »

Hallothiel wrote: »

@Alinhbo_Tyaka

But the EU server is based in the, er, EU.

Esologs website is not hosted in the EU and is owned by an LLC located in Texas based on the records I can find. The ESO game has servers in the EU and it is the game that sends the information to esologs. This why I have said it does not matter whether the esologs.com website complies or does not comply with GDPR as they are not in the EU. The only recourse is through ZOS not sending the information without permission to a non-compliant website since they do business and have servers located in the EU.

This shouldn't matter because the responsibility of the GDPR falls squarely on the collectors and controllers of the personal data themselves - which in this case would be ZoS because they are the ones collecting this data and making it available to 3rd party websites. The GDPR is pretty specific here and states clearly these protections still apply even if the data is being shared with 3rd parties outside of the EEA (European Economic Area).

You're right that the legal recourse would be through ZoS. But I don't really see how that affects the overall debate.

Heelie

the amount of people not understanding EU law is......

Mudcrabber

If by chance they're hosted in California, the CCPA goes into effect starting in 2020, very similar to the GDPR.

These laws are a minefield of uncertainty for a web developers. You read and reread and you're still no closer to understanding it because the people who passed the laws probably didn't them understand either. Take this forum for instance. When you view a thread, ZOS is sending you "personal data" that they "collected". They do a poor job of distinguish between the necessary functions of a website/service and the mass spying/peddling that they're trying to combat. None of these laws were written for me, yet (generally speaking) I'm almost certainly already out of compliance when I'm not spying in the first place, with no solution that results in a functional service. It'll just be another one of those things that'll go 99.9% unenforced until someone in government decides they don't like you.

Alinhbo_Tyaka

Jeremy wrote: »

Alinhbo_Tyaka wrote: »

Hallothiel wrote: »

@Alinhbo_Tyaka

But the EU server is based in the, er, EU.

Esologs website is not hosted in the EU and is owned by an LLC located in Texas based on the records I can find. The ESO game has servers in the EU and it is the game that sends the information to esologs. This why I have said it does not matter whether the esologs.com website complies or does not comply with GDPR as they are not in the EU. The only recourse is through ZOS not sending the information without permission to a non-compliant website since they do business and have servers located in the EU.

This shouldn't matter because the responsibility of the GDPR falls squarely on the collectors and controllers of the personal data themselves - which in this case would be ZoS because they are the ones collecting this data and making it available to 3rd party websites. The GDPR is pretty specific here and states clearly these protections still apply even if the data is being shared with 3rd parties outside of the EEA (European Economic Area).

You're right that the legal recourse would be through ZoS. But I don't really see how that affects the overall debate.

It affects the debate because too many of the posts keep going back to the esologs website being non-compliant when the fact is it doesn't have to be compliant and it is not party that needs to be taken to task. Instead the posts need to be explicit in it is ZOS who is responsible for ensuring the game hosted on EU based servers is GDPR compliant.

I don't know the ins and outs of the law to determine whether ZOS gathering statistics in a way that appears to conform to the game's TOS and privacy policy breaks the GDPR. I do think from an ethical viewpoint the players should have the option of disabling collection of their statistics by other players. It seems to me a player being able to disable statistics gathering would also eliminate any doubts about complying with GDPR. I'd call that a win-win.

anitajoneb17_ESO

Mudcrabber wrote: »

If by chance they're hosted in California, the CCPA goes into effect starting in 2020, very similar to the GDPR.

ESOlogs is run by a company named "Irksome and strange", based in Houston, Texas, USA.

Alinhbo_Tyaka

anitajoneb17_ESO wrote: »

Mudcrabber wrote: »

If by chance they're hosted in California, the CCPA goes into effect starting in 2020, very similar to the GDPR.

ESOlogs is run by a company named "Irksome and strange", based in Houston, Texas, USA.

And the server appears to be hosted by a company in Oregon.