How does GDPR affect player groups that collect information on their members

The data mentioned in OP, Commander name, commodities and amounts shipped, are those even the player's data? Wouldn't be surprised if Frontier considers it their data.
 
Sorry, thats wrong. In the journal you receive at least the commandernames when you play in open and have the honor to meet one (i know, thats not often the case right now :D), and in the log/extended log you have a list of P2P-Connections including IP´s of your instance.
The Journal and logs are mostly irrelevant here. You can see the commander names in game when you meet someone, and you can tie that to IP addresses using things like your router firewall logs, or your operating system's network management tools. Yes, the Journal/logs make it easier to extract this information, but you could do it without them.

So, the question then becomes: is it legitimate for Frontier to share (in-game) names and IP addresses with other players for the purposes of providing a multiplayer internet game ... to which the answer should be a pretty clear "yes". Their privacy policy explicitly covers this issue anyway, and I assume their legal advice is better than mine. ;)

Thank you! Which articles apply to point 5?
Article 6, compare 1a with 1b or 1f, for justifications for processing
Article 7 has most of the conditions to be met for using 6.1.a
Some of the other articles sometimes work differently if consent is the justification under 6.1

Would GDPR in its current form prevent such? Or does it contain provisions towards sharing information about general bad behaviour?
I think this would come under the personal/household exemption to start with, if you're making personal recordings

It would get rather more complicated if an organisation were to be processing the data (because you gave them that information) - Article 14 could be interesting - and my non-legal advice would be "don't".

As regards "sharing information about general bad behaviour" you might find the precedent described at https://www.bristows.com/news-and-p...ormation-can-an-employer-process-and-disclose relevant as example of the difficulties you can get into, though it's not an exactly parallel situation.
 
So, the question then becomes: is it legitimate for Frontier to share (in-game) names and IP addresses with other players for the purposes of providing a multiplayer internet game ... to which the answer should be a pretty clear "yes". Their privacy policy explicitly covers this issue anyway, and I assume their legal advice is better than mine. ;)

I´m not sure here.

We have similar issues with a - well - very common CRM-System that is in use worldwide (working for a company with 4 million customers and 60.000+ employees), there are similar issues and legal said: Nope, pls implement technical measures here (encryption/masking). Also 3rd-party in foreign countries (out of europe) were a big issue (Isnt FD using AWS? And Elite is running almost worldwide?).

Example: One chinese d00d is scanning logfiles and builds a database with commandernames and ip-adresses. Is it allowed? Yes, Frontier does not prohibit that in their EULA. And GDPR says: Data transmission to a land outside of europe = only allowed when the same measures apply as in europe. Don´t see that :) Same is with AWS - even if the servers are running in Europe, they have a follow-the-sun-policy when it comes to technical issues, so its possible that an indian technician checks a european server = problem. I don´t like that, but that´s how all big companies have to deal with in the past 12 months. No idea how many pages of contracts I have written in the last weeks, must have been 2000 pages or so.

I hope all this crap does not apply to computer games, I have yet to find the exception for games in the GDPR.

I´m 100% certain they have at least to work on their logs and the journals, but that is not my decision (but as we all know: there´s always "one idiot" who tests that and files a lawsuit).
 
Last edited:
I have another question. This is a little off topic This was something that happened a long time ago in my elite history.

I had wanted to get involved in powerplay with a certain power but due to my affiliation with a particular player group I wasn't allowed.
I had shared the logs of our communication (it was in text) as to why I wasn't allowed. This apparently wasn't taken very well by the admin in question.

We had gotten onto a voice channel one day with a representative of a player group and the admin/moderator of the powerplay operation's group to sort this out.

Apparently the reason for this was to ensure that no text logs could be made. Learning of this, I had quickly started recording the conversation because I believe that a person that would go to lengths to avoid being cited wants to say something they know would paint them in a bad light. Within it contained what I would deem flagrant toxicity from these leaders of powerplay operations and player group.

At the time, due to the international nature of the voice communication, It is unclear legally whether a one party notification or a two party notification would apply. That means, do both side need to know that it's being recorded or just one side? It's one party for mine and where I was at the time, and two party for their country of origin at the time but only if it's for businesses. I never did find out how it applied to natural people.

I believe I was in the right to be allowed to recorded my specific conversations with these people for future reference without notification (that means telling them that they're being recorded) because it was an international call.

Here's the thing, I had an audio file with evidence of generally terrible and bullying behaviour from specific leaders of powerplay. Under GDPR, would a voice recording be considered personal information?
And I would have been able to share it for the purpose to shedding light on an instance of bullying and toxicity that I had personally bore witness to?

Would GDPR in its current form prevent such? Or does it contain provisions towards sharing information about general bad behaviour?

I have not shared the file in its entirety and would likely never do so.

Lol? Are you for real? Don't you find it a bit weird to wiretap personal conversations? And what for? Like you can't just take pictures of strangers and use them at your leisure you can't just record personal conversations. And then go on a public forum and announce you just did so.
 
I´m not sure here.

We have similar issues with a - well - very common CRM-System that is in use worldwide (working for a company with 4 million customers and 60.000+ employees), there are similar issues and legal said: Nope, pls implement technical measures here (encryption/masking). Also 3rd-party in foreign countries (out of europe) were a big issue (Isnt FD using AWS? And Elite is running almost worldwide?).

Example: One chinese d00d is scanning logfiles and builds a database with commandernames and ip-adresses. Is it allowed? Yes, Frontier does not prohibit that in their EULA. And GDPR says: Data transmission to a land outside of europe = only allowed when the same measures apply as in europe. Don´t see that :) Same is with AWS - even if the servers are running in Europe, they have a follow-the-sun-policy when it comes to technical issues, so its possible that an indian technician checks a european server = problem. I don´t like that, but that´s how all big companies have to deal with in the past 12 months. No idea how many pages of contracts I have written in the last weeks, must have been 2000 pages or so.

I hope all this crap does not apply to computer games, I have yet to find the exception for games in the GDPR.

I´m 100% certain they have at least to work on their logs and the journals, but that is not my decision (but as we all know: there´s always "one idiot" who tests that and files a lawsuit).

Sorry excuse me so angry :eek:, but his post, begin to be of doubtful credibility for my criteria.
I checked 1 hour ago that frontier encrypts data correctly, that does not provide ip, email or any data that is possible to another comdr know without explicit consent. I've been to open, wing, solo (mode only) and private group and ok for Frontier
I refer to my post n33, for possible specific technical revision.

Disculpa me exprese asi de enojado,pero sus post, empiezan a ser de dudosa credibilidad para mi criterio.
He comprobado hace 1 hora que frontier encripta datos correctamente, que no facilita ip, email ni ningun dato que sea posible a otro comdr saber sin el consentimiento explicito. He estado en open, en wing, solo (mode onlu) y private group y ok por Frontier
Remito a mi post n33, para posible revison tecnico especifico
 
Sorry excuse me so angry :eek:, but his post, begin to be of doubtful credibility for my criteria.
I checked 1 hour ago that frontier encrypts data correctly, that does not provide ip, email or any data that is possible to another comdr know without explicit consent. I've been to open, wing, solo (mode only) and private group and ok for Frontier
I refer to my post n33, for possible specific technical revision.

Disculpa me exprese asi de enojado,pero sus post, empiezan a ser de dudosa credibilidad para mi criterio.
He comprobado hace 1 hora que frontier encripta datos correctamente, que no facilita ip, email ni ningun dato que sea posible a otro comdr saber sin el consentimiento explicito. He estado en open, en wing, solo (mode onlu) y private group y ok por Frontier
Remito a mi post n33, para posible revison tecnico especifico

Logfiles/Journals are not encrypted.
 
Lol? Are you for real? Don't you find it a bit weird to wiretap personal conversations? And what for? Like you can't just take pictures of strangers and use them at your leisure you can't just record personal conversations. And then go on a public forum and announce you just did so.
It's not wiretapping. I'm not a third party hacking into someone else's call. I'm one of the participant of the call. I'm recording my personal conversation with someone else. It's not illegal to record your personal conversations. This is where you should look up two party notification and one party notification and how it applies to an international call with regards to personal use.

So I think your second question is loaded. to your third question, what for? It was for personal reference and because I knew I'd have caught some really... toxic things though I didn't realise the scope. That call honestly made me feel really sick and I should have ended it sooner.

With regards to your taking picture analogy. A better analogy is taking a picture of someone hurling verbal abuse or physical towards you. We still have picture taking such photos so I think there's some lawful coverage when it deals with showing a spotlight on toxic behaviour.

edit: Actually to add to that, given it was a player group, that may be considered an unincorporated association, and that I was speaking to leaders about an association matter, admission to the group, perhaps it's not merely a personal call but is instead one where I recorded my interaction with a representative of the player group in question.

Edit2: You also have to take into account we were from two countries that have different recording notification laws.

Anyways, the crux of what I was asking was asking is really about what happens if we encounter verbal abuse online in video game communities, whether within player groups or outside of it. And how recording that works with regards to GDPR. There will be members of our community who will still face crap from the more toxic members of our community. If there's anything we can do to prevent CMDRs from going through what I went through with these two CMDRs I had the "pleasure" of speaking to, I would love to prevent it and if I'm unable to, to give power to victims to ensure such folks don't get away with it. Like the CMDRs I spoke to have done so. - While being GDPR compliant.

The Journal and logs are mostly irrelevant here. You can see the commander names in game when you meet someone, and you can tie that to IP addresses using things like your router firewall logs, or your operating system's network management tools. Yes, the Journal/logs make it easier to extract this information, but you could do it without them.

So, the question then becomes: is it legitimate for Frontier to share (in-game) names and IP addresses with other players for the purposes of providing a multiplayer internet game ... to which the answer should be a pretty clear "yes". Their privacy policy explicitly covers this issue anyway, and I assume their legal advice is better than mine. ;)


Article 6, compare 1a with 1b or 1f, for justifications for processing
Article 7 has most of the conditions to be met for using 6.1.a
Some of the other articles sometimes work differently if consent is the justification under 6.1


I think this would come under the personal/household exemption to start with, if you're making personal recordings

It would get rather more complicated if an organisation were to be processing the data (because you gave them that information) - Article 14 could be interesting - and my non-legal advice would be "don't".

As regards "sharing information about general bad behaviour" you might find the precedent described at https://www.bristows.com/news-and-p...ormation-can-an-employer-process-and-disclose relevant as example of the difficulties you can get into, though it's not an exactly parallel situation.

Thanks I'll have a read.
 
Last edited:
That's data of the game, only of your character, and you only receive it from anyone else. In order without comments :rolleyes:,
E

Thats exactly the problem. FD could be in the position to say "Hey, its P2P, we don´t know what connections you have", but that could also lead to problems.
 
I´m not sure here.

We have similar issues with a - well - very common CRM-System that is in use worldwide (working for a company with 4 million customers and 60.000+ employees), there are similar issues and legal said: Nope, pls implement technical measures here (encryption/masking). Also 3rd-party in foreign countries (out of europe) were a big issue (Isnt FD using AWS? And Elite is running almost worldwide?).

Example: One chinese d00d is scanning logfiles and builds a database with commandernames and ip-adresses. Is it allowed? Yes, Frontier does not prohibit that in their EULA. And GDPR says: Data transmission to a land outside of europe = only allowed when the same measures apply as in europe. Don´t see that :) Same is with AWS - even if the servers are running in Europe, they have a follow-the-sun-policy when it comes to technical issues, so its possible that an indian technician checks a european server = problem. I don´t like that, but that´s how all big companies have to deal with in the past 12 months. No idea how many pages of contracts I have written in the last weeks, must have been 2000 pages or so.

I hope all this crap does not apply to computer games, I have yet to find the exception for games in the GDPR.

I´m 100% certain they have at least to work on their logs and the journals, but that is not my decision (but as we all know: there´s always "one idiot" who tests that and files a lawsuit).


I believe Frontier is allowed to share IP addresses with other commanders, in the case that the player in question clicked 'Open' or 'Private Group' in the menu. When you click open/group you expect Frontier to provide you with an online service, which in this case means that your IP will be shared with other p2p clients (but nobody else, like Cambridge Analytica).
It would be very strange if a Solo players commander name or IP address would be shared with other commanders though. I'm not sure what you are referring to with the AWS bits in this topic (or the bit about Indian technicians).

I'm positive AWS personnel cannot look at the data contained in our databases for example, or log in to our servers directly. I work for a European processor in GDPR terms, which processes personal information like usernames, email addresses and IP addresses (amongst even more personal information in some cases), and we run on AWS infrastructure as well. We certainly don't need to do masking/encryption on IP addresses, since it's required for us to operate (identifying malicious actors). If we cannot monitor/log IP addresses we cannot adequately protect our controllers data against said malicious actors. However we don't share the IP addresses to the public, which is perhaps the case with the CRM you mentioned.

Anyway I believe normal player groups operating on the services that Frontier provide would not have to worry about GDPR one bit.
 
Thats exactly the problem. FD could be in the position to say "Hey, its P2P, we don´t know what connections you have", but that could also lead to problems.


Definitely do not know what you are talking about Your criteria have ceased to be valid for me, to the box of not valid The end
 
We have similar issues with a - well - very common CRM-System that is in use worldwide (working for a company with 4 million customers and 60.000+ employees), there are similar issues and legal said: Nope, pls implement technical measures here (encryption/masking).
Sure - but that's a situation where IP addresses are being recorded for legitimate internal purposes, presumably don't need to be shared with other customers, and encrypting when stored is just good practice there.

Example: One chinese d00d is scanning logfiles and builds a database with commandernames and ip-adresses. Is it allowed? Yes, Frontier does not prohibit that in their EULA. And GDPR says: Data transmission to a land outside of europe = only allowed when the same measures apply as in europe.
Chinese d00d is an individual so out of scope of the GDPR, though.

As above, you can get this information without the logfiles, so under this interpretation FDev would be prohibited from matching EU players with non-EU players at all.
 
How does GDPR affect informal playergroups like those that run PMFs?

i've been following this thread with gread interest but i am none the wiser.

i see gdpr as a good thing but doing a really crappy job at addressing amateur work and initiatives, which is where i see the most real potential of the net for human social advancement (yeah, i'm a nostalgic cyberpunk loving early adopter of the internet who had to get over the dismay of seeing it taken by storm by marketeers and all kinds of meatgrinders). honestly reading the regulations it is absolutely opaque to me what it means for me to share a simple google spreadsheet. the implications could be terrifying but ... does that really make sense?

i have serious doubts that the approach by eddb (et al) shared in this thread is fully complying with the regulations, if they are to be taken literally. specifically they incur in generic statemens and warnings that, while informing the user, fall very short in describing exactly what info is gathered, how it is processed, and most importantly in providing the user control over it (remember, with the same ease of access that is offered to gather it in the first place, this is quite a thing). then again they are accepting donations, so they are much more exposed (as potentially being considered a business) than you. and then again it's all about context.

current context is that nobody has yet a real clue as to how all this is supposed to work in detail. which is, otoh, a common thing when legislators tackle such big goals, and a golden opportunity for wannabe experts to sell their magic advisory services. classic.

on another level the context is that it will take some time for these issues to become clear, and conforming measures and policies adopted and standarized. meanwhile, it's just a matter of exposure. as an altruist endeavour, if you were caught doing shady stuff (hypothetically) you would have to deal with charges for violating gdpr aswell. else, i don't think nobody would ever care about you or your commodity tracking. your worst nightmare i guess would be some butthole or disgruntled user of your website specifically looking to cause you trouble. i honestly don't think anybody would pay them any attention. but in the not impossible case someone did, i think your good faith disclaimers and the very nature of your activity would cover you during this transition period.

forgot to say, i'm not a lawyer (which is double funny since i'm quite sure that not even lawyers have a real clue about this right now).
 
Last edited:
Sure - but that's a situation where IP addresses are being recorded for legitimate internal purposes, presumably don't need to be shared with other customers, and encrypting when stored is just good practice there.


Chinese d00d is an individual so out of scope of the GDPR, though.

As above, you can get this information without the logfiles, so under this interpretation FDev would be prohibited from matching EU players with non-EU players at all.

Chinese d00d as an individual is out of scope, correct. Frontier as data controller providing data to foreign countries is not (Art. 40 to 50). And so on.

But hey - there can be several different positions, as always - and I´ll gues that FD´s legal departments answer on all questions was "It depends. Or 42".

:D
 
Back
Top Bottom