Chatlands and the GDPR

Suggestions for Chatlands
Post Reply
User avatar
underdog
Chatlands Owner
Posts: 70
Joined: Sun Apr 12, 2020 2:05 am

Chatlands and the GDPR

Post by underdog »

Hello folks,

There's been a recent conversation about how the GDPR affects Chatlands over on the Wolfhome Forum. For those of you who are unfamiliar with the GDPR, this is a law that the European Union enacted in 2018 that gives individuals in the EU certain rights over their data. As Chatlands has many members from the EU (waves at EU members!) this is a law that we need and want follow. Personally I strongly support individual privacy and allowing people to control their own data. There were a few different points that were raised. The concerns I will address here are how we use cookies, how we use IP addresses and how we manage data related to admin conversations on both Chatlands and on other sites such as Discord.

Regarding Chatlands cookie policy, I agree that Chatlands sites need to have better cookie policy alerts for non-functional cookies. As far as I am aware, the only cookies we have on Chatlands are for google ads. We no longer run google analytics or statcounter. I will add a cookie consent dialog that makes this clear containing a link to our privacy policy.

Regarding websites and their use of IP addresses, I researched GDPR compliance when working on the Revolvy site years ago. My son Luke is helping on this and has made many GDPR compliant websites. Other websites that are GDPR compliant routinely use IP addresses for administrative purposes. To the best of our knowledge, the Chatlands privacy policy covers its use of IP addresses and is in compliance with GDPR. However, the GDPR rules were recently updated, and this is something I want to get right. So, I will research this and then make any necessary "course corrections" in the coming months, and in that event I will post an update to this thread.

Regarding the concern about admin discord conversations as related to GDPR compliance, this is not the way this law works. In fact, I am unaware of any sites that have this policy. Even in Google and Facebook, where they have automated archives for user data access requests, it never returns logs where other individuals are discussing your account. One reason is that this would infringe on the admin's right to data privacy, which is another crucial part of GDPR.

Again, I think that data privacy is extremely important, especially in today's internet. This is something I want to get right, and I will make this a priority. I do appeciate the issue being brought to my attention.

As always, thanks for being a part of Chatlands,

===Underdog===
0 x
Colossith
Posts: 2
Joined: Thu Jul 07, 2022 9:55 pm

Re: Chatlands and the GDPR

Post by Colossith »

Excuse how long this post is going to be. My original post was intended to highlight that certain caveats should exist, the shape of those caveats is the fine line between ensuring confidentiality/sensitivity without unduely witholding information from users. Different companies have different policies. Riot Games provide three months of chat logs and report history. Activision Blizzard keeps much longer logs in terms of report history. Riot therefore provides three months of history, Blizzard provides years. Here is an example of forum moderator considerations: https://blog.vanillaforums.com/communit ... ity-forums

Riot Games are known for using automated reporting tools to scan chat logs so employee discussion of users is rarely carried out by a Riot employee. The same goes for Facebook and YouTube. Even appeals or reports meant to be made at "humans" go to automated systems. In many ways comparing Chatlands to larger corporations is apples to oranges as Chatlands has little to no automation. You need to therefore look into more manually-orientated case studies on how data should be retained and published to those who request it. I've included an example below. While it is not specific to forum moderation/chat moderation per se the principles are the same in the case of Chatlands moderation as a whole.

The problem Chatlands has, which is a conversation that has been had before, is that discussions about users are not tagged to specific accounts in an isolated way. Chatlands discussions are scattered via forums different means thus making data more difficult to collate.

Companies are taking a more and more automated approach to reporting to cut costs and to avoid wide ranging GDPR requests being a problem. GMs for Activision Blizzard rarely collaborate with one another, that is evident by how broadly they process the same report from various users. Anecdotal evidence has been seen over the years that consistency within Activision Blizzard support exists and that is likely due to a lack of collaboration when it comes to handling user tickets. They will have set processes in place, guidelines for how much leeway they can provide and a supervisor/manager who oversees their report handling. Reports are maintained on user accounts and not within a forum as they are on Chatlands. Blizzard are a company that seems to have more human intervention than companies such as Facebook or YouTube.

Facebook and YouTube do have human moderation. I've never seen an example of a GDPR request for someone with human intervention from Riot or Blizzard as my accounts don't have that type of information tied to them. Riot interestingly shows aggregate report history including reports made and received about a user. I cannot provide full information of what reports received looks like as I have no reports against my Riot account to look at. The fact that Riot includes both received and sent reports should indicate that maybe Chatlands should include that. How an admin receives the report does not matter as Chatlands is a more scattered ecosystem. The point is that they are received and thus should be reported on. I've seen the reports that come through from Riot, they include the entire chat log from a match or lobby made by the reported user. They do not release who reported it. They do however release all reports, whether they are found to be punishable or not.

Chatlands could take a similar approach "received following report on X date [insert logs] after discussion user was given a warning/ban for X days/weeks/months/permanent".

https://support-leagueoflegends.riotgam ... count-Data

Your Summoner name, username, and server
The phone number attached to your account
Your registered date of birth
Aggregate report history, including reports made and received from the last 3 months (or the past 100 games, if you’ve played more than that in the last 3 months)
In-game chat logs for the last 3 months (or the past 100 games, if you’ve played more than that in the last 3 months)
Login history for the last 3 months
Player Support ticket history
Account modifications for the last 3 months
All store transactions (skins, champions, etc.)
All monetary (RP) purchases
Discord

Discord absolutely should be mentioned as a platform you willingly share user information to. Information on Discord is arguably within Discord's privacy policy but they act as a data processorfor Chatlands, as well as a data controller. Discord controls the personal data submitted by users to their platform, but you ask them to process private information when posting user information to their platform. Joint-controllers exist as a concept. https://www.highspeedtraining.co.uk/hub ... rocessors/. This has been done without fully informed user consent at present. If user logs or IP addresses or any identifying personal info of a user is sent to Discord, it should be declared as a data processing platform.

https://www.blizzard.com/en-gb/legal/8c ... 2232422245 Blizzard make it very apparent in their privacy policy that they share information to other platforms. They detail where data is stored. Note how they state it is stored at Blizard Entertainment, Inc. This is likely due to Blizzard using applications within internal instances on their California ran servers:
With partners and service providers. Blizzard may provide information to its vendors, consultants, marketing partners, research firms and other service providers or business partners. For example, we may provide information to such parties to help facilitate event ticket sales, conduct surveys on our behalf and process payments for our products and/or games. We share some of our players’ game data with our community of developers, who create applications and websites that benefit our player community. You may opt out of having your game data included in this program by opting out of game-data sharing in the Privacy section of your Battle.net account.

With subsidiaries and affiliates. We share information with our subsidiaries and affiliates to help us provide our services or conduct personal information processing on our behalf. For example, Blizzard processes and stores information at Blizzard Entertainment, Inc. in the United States.
IP Addresses
Other websites that are GDPR compliant routinely use IP addresses for administrative purposes. To the best of our knowledge, the Chatlands privacy policy covers its use of IP addresses and is in compliance with GDPR.


My original post did not refute the usage of IP addresses but did point to IP addresses being considered personal data. As seen above, IP addresses are included in requests for personal data by other providers. That was why I mentioned IP addresses in my original post.

Confidentiality of natural persons vs a data processor

As I stated originally: Data can be anonymised where appropriate/possible (omitting who said what but not what they said). If a user is reported and then an admin discussion occurs regarding what disciplinary action they should face, the exact posts should arguably be included within a GDPR report as it's data about a user. It depends on the content of the post. If an admin posts a huge write-up linking several accounts together to decipher a ban hop, that user really should be privvy to that information as it pertains to them, their account and they may be able to refute the evidence attributed to being theirs. One could argue that including and anonymising every single post from an admin thread would be an unreasonably large request for Chatlands, therefore a high-level view of posts, including key "fact finding" posts would potentially be more appropriate. This would require legal advice from a governing body to confirm. I have only acted in a capacity for a larger body where we can enact automated data scraping techniques with sanity checks at the end. Chatlands is a different beast in that regard. A governing body may be able to provide more information on what would be deemed appropriate for Chatlands.

Aggregated reports could be as simple as "three counts of a vote for a week long ban and two counts of a vote for a one month ban" or it could be the posts with data on who made the post omitted. Hence my caveat of "well under GDPR admin discussions are not strictly entirely 100% confidential". Users do not have the right to know who posted it, they do not have the right to know who replied with thoughts. They do have the right to know what those logs are. Users have the right to know what they have been investigated for in the past. If you opt to have indefinite holding of information, under GDPR you have to be willing to provide indefinite timelines of data publishing.

GDPR is not meant to harm a data processor by identfying them as a natural persons thus, as said many times, omitting who said what and any identifying information would be well within the scope of GDPR laws. Posts which make it obvious who posted despite anonymising of data would also be appropriate to omit.

A good example is how the law considers things such as disciplinary files would be HR files: https://www.breathehr.com/en-gb/blog/to ... s-requests

You must provide all the personal data that you hold about the employee who is making a SAR, including anything held in an HR system, on paper, in spreadsheets, email correspondence and every other type of record.
The scope of a SAR is far reaching and includes emails that refer to an employee, their performance reviews, job interviews, payroll records, absence records and any information about disciplinaries.
The data must be provided free of charge to your employee.
All data must be provided to an employee in a secure format. If you provide the data electronically, it needs to be password protected.
Data must be provided in an easily accessible format.
The data needs to be easy to read and understand.
Businesses must now respond to SARs within 30 days (it was previously 40).
SARs no longer have to be made in writing. Employees are free to make requests as they see fit and this includes a verbal request.
I've seen a full GDPR compliant HR file in the past while assisting with a constructive dismissal case, they genuinely do contain a wide range of communications discussed about an employee being investigated. Signatures, tos, froms and CC fields were redacted. Meeting minutes without the person being investigated being present were also included. Those involved in HR discussions retain their privacy from their names being redacted.

Private informal thoughts about someone are protected due to them being considered the thoughts of a natural person, but data as it is processed during a report proceeding would not. There's a difference between private thoughts and thoughts pertaining to the investigation of a user's conduct. There is a fine line between wanting to protect admins and moderators from voicing frustrations and witholding user data. A good example would be complaints sent to you privately. As the data controller, reports you receive are considered under GDPR to still be complaints. If they are complaints about an identifiable individual, they are the subject to GDPR requests. Again anonymising of data is appropriate to protect those who reported the incident. It would however be inappropriate for you to deny the contents of the report or said report's existence. Other platforms publish reports they receive, as outlined above in my example from Riot Games. Chatlands is obliged to do the same. The method in which you receive the report does not matter. If a data processor or data controller acting on behalf of Chatlands receives a report about a user, the user has a right to know under a GDPR request.

Public vs Private
Even in Google and Facebook, where they have automated archives for user data access requests, it never returns logs where other individuals are discussing your account.


Public posts on Facebook have been fair game for years, prior to GDPR. Publicly made logs on Chatlands are kept hidden. When I stated that logs from other users should have a caveat, this is what I was referring to. Publicly posted logs are publicly posted logs. If done in private then they are considered private thoughts. I can search for various terms on YouTube to see if comments containing usernames exist publicly. I didn't at any point name genuine private conversations as being the target of a GDPR request. With of course the caveat of when someone is acting as a data processor.

Facebook has a place to view posts that a user has been tagged in. We as Facebook users can search our names and find all public posts which mention our names, they may not even be posts about us, just someone with the same name. When it comes to private groups that adds a level of obfuscation and becomes "private thoughts". Facebook is also a sort of terrible example of GDPR compliance https://www.bbc.co.uk/news/articles/cp9yenpgjwzo . They have in recent months been quoted as to trying to resist Europe's attempts to maintain user privacy laws. Going so far as to threatening to pull out of Europe entirely as a provider https://www.exchangewire.com/blog/2022/ ... h-us-ends/. The EU met their threats with an "OK go for it then." Facebook has been considered to be a company skirting the fine line of GDPR since its inception.

Closed Facebook groups have been used in the past to hide attempts at harassment, those groups get removed by Facebook. It would still be a user's legal right to know what information was posted about them in a private group if they became aware of said group. They may only be told the specific information or specific mentions of their name with no other context.

The facility to remove tags manually has existed for years. It removes the tags entirely and no longer links back to a specific profile page, thus anonymising the data as it could belong to anyone of a specific name. Depending on where the tag is, the user's name can be completely omitted from a post. The ability to have photographs, posts and videos removed for having personal likeness in them has also existed for years.

Private messages between two people can fall under the category of communications as a "natural person" but it depends entirely on the context. https://law.stackexchange.com/questions ... opean-gdpr

This Regulation does not apply to the processing of personal data: ...

(c) by a natural person in the course of a purely personal or household activity; ...
Private messages between two users would be purely personal by natural persons, however publicly posted logs would not be considered private data. They have chosen to make said communication public and thus it should be distributed when requested. That is why Facebook allows for such public searching of posts. You can also search YouTube comments from users/based on words.

If two moderators have a discussion about user conduct in the forum, that's not purely personal. That's data processing of a specific user. It is very important under GDPR laws to strictly define and understand when a moderator is acting as a data processor and when they are acting as a natural person.

Yes we are not employees but Chatlands essentially has "moderator files" on users. Disciplinary discussions about users do take place in a format where data retention is indefinite. Moderator threads are the online forum equivalent of a HR file. I understand the need for confidentiality but forum moderation really skirts the edges. Moderators do not act as a natural person when moderating chatlands, they act as a data processors.
Regarding the concern about admin discord conversations as related to GDPR compliance, this is not the way this law works.
In this situation you do not understand the law. I've acted as a data processor in the UK since before GDPR laws came into effect. In this situation I do know more than you and I have posted evidence above to support that fact.

12 months prior to GDPR coming into play I had to undertake training to understand the full scope of the legislation. Pretty much everyone who is employed in the UK acts as a data processor in their line of work. This is not something that makes me particularly special but it does make me more familiar with the law than you are. To state that a law does not work in a certain way shows your ignorance in this matter. Everyone in the UK has to work with GDPR in mind as it's a law that affects everything. From Uber Eats drivers to dog groomers. We all have to act with GDPR in mind. Whether people do is an entirely different matter.

If you, the overseers or any Chatlands administrator is willingly posting user information to another platform, you must be prepared to collate that information upon request. Discord has not collected that information about the person, you have and you have posted it to Discord. If it is seen as a "formal" platform for communication of administration, it comes under scrutiny. The same as for the forums. Dumping something into a system is still dumping something into a system, be it a forum or third-party service. Part of the collating process should be skimming mentions of users in Discord and at a minimum disclosing that their information has been posted to Discord at some point, ideally with all the information posted with appropriate anonymising of who posted it.

To put it into perspective, at work we have in the past been asked to scrap our emails and internal communications software for mention of natural person off the back of a GDPR request.

Within my job I also act as a natural person, it's important to understand the difference between those two concepts and when they come into play.

An example of compliant GDPR behaviour:

1) Colleague A contacts me via our internal approved communications system with information about a problem relating to our environment. This is an approved method of communication laid out by our employer as a method of communication. The communications have a retention policy and we are made fully aware that data pertaining to a client or our line of work may be monitored and collated if requested.

2) Colleague A and myself have a voice call via our approved communications system. During the call we discuss the fact that colleague A is going through something personal and we talk about what it is they are going through. It is not a discussion relating to work or our jobs and is a purely private conversation. At this point we are acting as private individuals on a company ran system. Our company is allowed to record/retain said conversations under UK case law. The company would not be allowed to publish private/personal conversations between myself and a colleague that did not pertain to the company in question.

3) Our client has made a demand for a specific window of an emergency deployment. We cannot resource the window due to absences within the team. The client cannot request a reason as to why or who is unavailable due to absences.

An example of non-compliant behaviour/behaviour that does not fall within the scope of GDPR:

1) Colleague A contacts me via Facebook Mesenger with information about a problem relating to our environment. This would be a direct breach of GDPR guidelines. We would be discussing a non-personal matter and thus would not be considered as acting as a natural person. We would be acting as data processors in a non-compliant/approved environment.

2) Colleague A contacts me via personal email with some property listings to get my thoughts on his next investment opportunity. He asks for my opinions. Our work would have no legal ground to monitor these communications and they would be private communications between the two of us. No one outside of me, my coworker and the email provider(s) we use would be privvy to these conversations.

3) I submit a request to my boss requesting holidays via our work's email system. My boss approves the leave request. This request would not be considered data for myself, my boss and my employer to be privvy to. While I do work for specific clients, they would not be privvy to such a conversation as it pertains to me as a natural person and includes my private data.

That's the difference.

Am I saying that all administrator conversations should be posted? No that was not ever laid out as being a concept. I am happy to work with you on this to make Chatlands as compliant as possible as quickly and painlessly as possible. It would not take much and it would not require a knee jerk reaction to dismantle long standing Discord servers and methods of communication that admins are comfortable with. It's basically a game of cheques and balances.
Last edited by Colossith on Mon Jul 11, 2022 9:00 am, edited 6 times in total.
0 x
Colossith
Posts: 2
Joined: Thu Jul 07, 2022 9:55 pm

Re: Chatlands and the GDPR

Post by Colossith »

I raised a series of bullet points in my original post I'll cover here in further.

1) Update the privacy policy to state that information may be discussed off-site on Discord, via admin boards (including the alpha boards), email and anywhere else that user conduct may be discussed. The places that a user's data may be held must be plain and transparent. Link to the GDPR/Privacy policy of any outside third-party should be provided.
As stated above, update the privacy policy to reflect where discussions take place regarding user's private information. As stated before, this is not a call to disclose all administration conversations. This is to inform users that their data may go through servers outside of those owned by Wunderwood LLC.
2) Have a process in place for a SAR. Make it transparent for users. A high level view of what is done is all that would be required, e.g.: "The administration will put together the contents of threads pertaining to you however omissions will be made etc etc." A full low level technical analysis of the process isn't needed.
Provide a link to where the requests can be raised and a high level view of what reports would contain. The Riot Games example I provided is an excellent jump off point. It's straight to the point, transparent and easy to understand. Simpler language may be needed than words such as "aggregate" as your audience is expected to the 13 years of age and over. Requests and privacy policies must be written in a manner legible to the age group your sites cater to.
3) Make it clear how SARs are raised on Wolfhome
This goes for all Chatlands sites, each site should have a link to how an SAR is raised. Do you want users to go to an individual platform for a GDPR related request or is it in the hands of the Chatlands Guardians? Meta and Alphabet tackle this by having GDPR requests in a more granular format. You get Instagram data from Instragram, Facebook data from Facebook, the requests don't go through Meta.
4) Clarification/updating of the following within the privacy policy: the conversation logs are kept in a directory that cannot be accessed with a browser.
Is this entirely true? I find it hard to believe that conversation logs are not accessible with a browser.
5) Chatland's overarching privacy statement is also incorrect: "We log conversations and significant actions (such as kicks and bans) in our ongoing efforts to provide a harmonious chat environment. These logs are kept private. They are not shared with any other company."
That's incorrect and I've stated why.
6) Ensure that all administrators are aware of GDPR, the rights it gives to users and how to comply with it.
This isn't something that is being complied with at the moment. Moderators should be aware of GDPR. Processes they are trained in should fall in line with GDPR. That's the best way to go about it. Fix processes/establish processes which are compliant, ensure everyone complies with said processes.
7) The admin CoC directly contradicts several facets of GDPR and makes no exceptions for it, that should be changed due to the overarching power of Chatlands CoC https://chatlands.com/admin_conduct.php
User information, including e-mails, IPs, etc, is not to be discussed with nor made available to anyone that is not an Administrator. This is the specific sentence that contradicts GDPR.

It should read along the lines of User information, including e-mails, IPs, etc, are routinely used as part of administration tasks. Users may request a copy of this information via our private information request form (include link)
0 x
User avatar
underdog
Chatlands Owner
Posts: 70
Joined: Sun Apr 12, 2020 2:05 am

Re: Chatlands and the GDPR

Post by underdog »

Thanks for the detailed response! There's a lot there to unpack but I will try my best to respond. First off, there's a few changes that I plan to make based on your feedback. I'll get into those later on. Also, it's possible that we're talking past each other on some of this, although it's difficult for me to tell. I do agree with the final point you make in your first post here:
Am I saying that all administrator conversations should be posted? No that was not ever laid out as being a concept.

Luke and I have looked into this and I want to provide more information about why private administrator conversations never need to be included in response to a DSAR request. It sounds like you already believe this, so my apologies if I am saying something that you already agree with. But just to be clear, administrator conversations never need to be included to fulfill a DSAR. For example see the guidance here:

https://www.osano.com/articles/data-sub ... ests-guide

Image

Here is an example from case law in Germany where the court said the company was not required to provide work emails mentioning an ex-employee.

https://www.dataprotectionreport.com/20 ... n-germany/

What it really boils down to is that to the best of our knowledge no tech company does this.

I also want to clarify that the way Chatlands fulfills data access requests is like most other small companies in that I manually fulfill them personally. While an automated DSAR system would be nice to have, I don't have any plans to implement that at this time.

Having said that, here are the things that I am going to do. I agree that in the future, fulfilled DSARs should include anonymized problem tickets about the user making the DSAR request. This would be an attempt to do something similar to Riot Games and other places like Facebook when they provide their data archives.

I now want to go through the bulleted list of items that you gave me.
1) Update the privacy policy to state that information may be discussed off-site on Discord, via admin boards (including the alpha boards), email and anywhere else that user conduct may be discussed. The places that a user's data may be held must be plain and transparent. Link to the GDPR/Privacy policy of any outside third-party should be provided.
As shown in the Osano link above, private conversations by administrators are not the user's personal data. However, to be safe, I will update our privacy policy to be in line with the way Blizzard does this.

Image

In other words by saying that some data may be shared with third parties and service providers. I will add something similar to this to the Chatlands privacy policy. Thank you for the recommendation.
2) Have a process in place for a SAR. Make it transparent for users. A high level view of what is done is all that would be required, e.g.: "The administration will put together the contents of threads pertaining to you however omissions will be made etc etc." A full low level technical analysis of the process isn't needed.

3) Make it clear how SARs are raised on Wolfhome
This will be a manual process as it is with other small businesses. I will update our privacy policy to include the contact information for DSAR and similar requests.
4) Clarification/updating of the following within the privacy policy: the conversation logs are kept in a directory that cannot be accessed with a browser.
It's possible I am not understanding what you are saying here. It is a fact that the chat logs are not in the the web server document root and are not publicly available to users. Also administrator conversations are not publicly available.
5) Chatland's overarching privacy statement is also incorrect: "We log conversations and significant actions (such as kicks and bans) in our ongoing efforts to provide a harmonious chat environment. These logs are kept private. They are not shared with any other company."
Like I mentioned above, I will modify the CL privacy policy to be more like Blizzard's with a statement about data being shared with third parties and service providers.
6) Ensure that all administrators are aware of GDPR, the rights it gives to users and how to comply with it.
Having training for admins on this sounds like a good idea. I will review this with the admins.
7) The admin CoC directly contradicts several facets of GDPR and makes no exceptions for it, that should be changed due to the overarching power of Chatlands CoC https://chatlands.com/admin_conduct.php
It is still true that administrators cannot discuss this information as a part of a DSAR, like I said above, because I personally fulfill DSARs. The administration plays no role and does not share this information.

Once again, thank you for taking the time to post about this. In the end, I feel that what would be the most useful if we wish to continue this discussion is to find links to specific examples of companies implementing GDPR policy, and then I can determine if this same strategy, or something similar to it, needs to be done for Chatlands. Also if you want to avoid a lot of back and forth, you can just message me directly. If you want to do that, I would then publish the results of our conversation back here so that others can see it too. But, it's also fine to continue it here instead if you are more comfortable with this approach.

===underdog===
Last edited by underdog on Wed Jul 13, 2022 12:47 am, edited 1 time in total.
0 x
Post Reply