FYI: Civ6 contains Red Shell Analytics Software

I'm not entirely sure GDPR covers, or intends to cover, hiring a private investigator. A PI who is likely to use a great deal of other avenues than cracking a hashed database for a Steam ID.

(your browser, OS, font choices . . . none of these even remotely pinpoint your physical location. Or even your digital one)

That's what I mean when I say this doesn't contravene GDPR. This doesn't mean the personal issue of data privacy is voided - everyone has their own standards. I mean GDPR is not the door to be knocking on here, and yet unfortunately it's just another initialism people are going to throw out on the Web to make some vague threat of legal action.

The amount of companies that flat out shut down their sites for anyone living in the EU indicate that this is a law not to be trifled with. Nobody with any sense, for any amount of money, is going to be anywhere near contravening it.

That should hopefully cover that angle from me.

 

1. It's not nice to call people dumbasses.
2. We're not talking about game telemetry. We're talking about software embedded into the game that's used for ads and marketing. It has nothing to do with improving the game. Dumbass.

Moderator Action: Trolling a troll is also trolling. Please just report problematic posts and leave them to us. -- Browd
Please read the forum rules: http://forums.civfanatics.com/showthread.php?t=422889

 

OP doesn't list IP address as something tracked by Red Shell, but per the EULA it's actually explicitly allowed, along with other device data. I don't think you need a PI from there.

I'm not arguing from a GDPR perspective, to be clear. I've already pointed out that I consider this a grimey move worthy of disrespect, not an illegal one. But it really does seem this stuff can be used to find someone and quite a bit of information about them if you have it.

 

Ah, if you're not talking about GDPR, then I think we're talking cross-purposes here.

An IP address is more arguable than say, a Steam ID, but an IP address also doesn't mean a huge deal. It changes more often than you'd assume it does. But that's a whole other thread.

 

A SteamID is personal information and the context does not matter. It's like an IP address which is personal data, even if most people are not able to identify someone using an IP address - you need a judge and a good reason. Anyway because it is possible to identify a person, it is personal data. If you pseudonymize personal data, it is still personal data and you have to be GDPR compliant. There is not a single mention of pseudonymized data not being personal data anymore (there is a recital about this topic: https://gdpr-info.eu/recitals/no-28/). Hashed IP addresses are personal data if they are not salted (and you don't know the salt). End-to-end encrypted data is still personal data as long as somebody knows the key (which is nearly always the case). Data that can identify myself in any way, directly or indirectly, is personal data. It does not matter how difficult the process is.

Edit:
Don't get me wrong, I am not an advocate of the the GDPR. In my opinion it's badly written and counterproductive. I wasted three month for our company to be GDPR compliant. Still, data protection in general is important.

 

So a SteamID is something that identifies you as a person? This isn't your name, your IP address, your machine's MAC address, or anything like that. This is something generated by a third party service which relates to an account the details of which you can't actually get.

And certainly, while I wasn't aware of the IP address before somebody else pointed it out, a Steam ID is nothing like an IP address. It's a generated ID that only has application within that specific third-party online system. It doesn't identify you. It's like complaining about a unique ID field in a database record, generated each time a record is added. The ID alone cannot identify you (as a person).

I think that should be left to the actual lawyers.

Valve will be covered, legally, by the terms of GDPR. Logically, this means companies storing a single Steam ID will be as well. This isn't whataboutism; this is the baseline of "this information can only violate GDPR if everything else that uses it also violates GDPR" (and relies on a EULA and the like - which Valve do with Steam). You can bet Valve will have accounted for this. They're a prominent company, and the fines from GDPR are really not worth it.

Again, lawyers.

 

It does. Valve can identify me using the SteamID.

Yes. It does not matter that this are two different companies and how likely it is to get this data - it is all about the possibility. You don't need a lawyer for this, just read your one quote (Art. 4 Sec. 1). SteamID is clearly personal data because someone (Valve) has a reference between my name and my SteamID. That's it, don't read between the lines, just read the exact definition. I know that this sounds stupid. In our company we have a number that is clearly NOT personal data, but because we also save a timestamp this number becomes personal data in very, very, very rare occasions. It is difficult to get the identity, maybe impossible in most of those rare cases. But even the slightest chance is enough for this to be subject to the GDPR.

It's Take2 (or whoever is responsible for Civ 6) that I am talking about. This is not about Valve, not even Red Shell.

Maybe you should do some research on the topic (if this interests you). Steam being GDPR compliant does not mean that every company that uses the SteamID is 'automagically' GDPR compliant. As I said before, don't read between the lines. Logic is something you should not have in mind when you try to apply the GDPR.

That is not written anywhere in the resolution. I read the whole resolution. Twice It was annoying and boring, but I had to.


Edit:
If this post or any other post related to this topic sounds rude... that was not my intention, English is not my first language and I am one of those persons who rarely uses emojis. I just wanted to clarify some things and share the knowledge I got during the last month. I am not making things up, I did a huge amount of research on this topic because normally I am a software developer, but we are one of those poor companies who cannot afford to pay an expert to do all this stuff, so I had to do it myself. And the more research I did, the easier is was. I have written our privacy policies, data processing agreements, records of data processing, the TOMs and much more. Of course I talked to a lawyer on some difficult topics. As I said before, I think we need good data protection, but I don't like the GDPR. Maybe some of the rules will change over the years, others will be less vague. Still we have to follow its current rules.

 

German article about redshell in civ 6:

https://www.gamestar.de/artikel/red...acking-software-verteidigen-sich,3331371.html

https://www.gamestar.de/artikel/spy...ren-auf-empoerung-ueber-redshell,3331296.html

https://steamed.kotaku.com/16-studios-removing-alleged-spyware-from-pc-games-after-1826966946

https://blog.redshell.io/gdpr-and-red-shell-57f9c03b5769

 

Valve can identify you using your Steam ID, insofar as you're required to have your real name associated with your account (which is slightly misleading, you tie a real name to billing details, which is separate from any names attached to the account itself). But Red Shell aren't Valve. Valve can already identify you via your Steam ID. Red Shell storing that ID doesn't help anyone if they're not Valve. And if they're Valve, they don't need it.

It does precisely matter how the companies are different. The data controller is different. The data processor is different. The required use of the data involved in different. Everything about this data relating to GDPR is different. I get that you're not a huge fan of GDPR, but this doesn't mean companies are automatically in violation of it either. You don't need to suggest I do research on it, either. Bit unfair, yeah? Assuming "data controller" is one of those tech phrases that crosses the language barrier, you should perhaps already be able to tell I have knowledge about this.

When I say "if X is in violation, Y is as well", I mean that Red Shell (or 2K) cannot be violating GDPR due to relying on a EULA, because that's exactly how Valve does it as well. Anonymised or partially-anonymised data, combined with a EULA that people consent to to use the product. Again (not directed at you, but generally), this isn't whataboutism. I'm not requiring you to get annoyed at Valve. I'm saying because Valve rely on exactly the same legal premise (a EULA), 2K cannot be in violation of GDPR with this. Because they have a EULA.

As I've said throughout the thread, feel free to ask for more transparency. Feel free to be upset. But that doesn't mean that any law is being broken.

 

And this is where you are wrong. That is not the case. Those "chained exceptions" don't exist. If you use personal data, even if someone else "owns" this data, it is still you who have to be GDPR compliant. It is totally irrelevant what Valve or Red Shell are doing, Take 2 must be compliant on its own. And that is what my first post was about.

Of course they can. Different company, different rules. One company may have a valid reason to store personal data, because that is what the company is doing. Its their business. Another company cannot use the same data and just rely on that exact same reason just because the other company did that. Otherwise everyone would be allowed to store your SteamID for absolutly no reason. They could state that Valve already is GDPR compliant and they are now allowed to store your SteamID. GDPR compliance does not mean that the SteamID is now GDPR compliant and everyone can use it for the reason Valve stated. It just means that the data processing of Valve is GDPR compliant. If another company uses the SteamID, they have to be compliant for their own. They have to prove why they need the SteamID, how they store it and everything else that the GDPR is about.

Sorry, but what else could I say? I am just telling you what I know. It wasn't just some hours of "Google research" that I did, it was month of full-time work. If you think I am making this up, then the only possibility is to research this for yourself. There are a lot of good and helpful articles. I did not want to be mean or unfair.

 

The problem is you're taking what you know with your single use case and applying it to companies you have zero knowledge of. You do not know 2K's reasons for holding the data it does. You cannot say that has no reason to do so. I'm sorry, I didn't realise this was your logic. I assumed that we were operating from the baseline that companies are only using the data that they need in order to operate.

Of course, this is a common assumption. Because you don't see the need for the Steam ID, you assume it must be superfluous. This isn't the case. Your Steam ID will be required in this instance because your product key needs some kind of relevance. Otherwise all 2K have is a product key, an operating system, a web browser and your installed fonts. Maybe an IP address.

I was talking specifically about the data processing. That's exactly what I was talking about. We were talking about the consent given (the EULA) and the safety of the storage (the processing). We were not talking about whether or not 2K needed the data in the first place. That was never stated.

As for what you could say, you don't have to speculate on the competencies of others at all. You don't know what I know, I don't know what you know. All we know is what we post

 

A nice article on Wired about Red Shell (Civ VI is also mentioned) -> http://www.wired.co.uk/article/red-shell-game-tracking-gdpr

Also regarding legality and GDPR just a general comment about lawyers. Generally lawyers are totally rubbish at technology. Even professors.

I did the first year postgrad law program (called GDL in the UK) and just as an example the EU lecturer used to call the codecs that M$ released as part of its WMP settlement with Real as "the codes". She kept saying Microsoft gave up "the codes". And every time she said "the codes" I was like ->



Lawyers are typically not very tech aware as most of them come from the arts & humanities...there are so few from eng., maths, sciences nowadays.

So many (even those with immaculate legal credentials) may not know of the technical details of what data Red Shell analyses in relation to GDPR. Just sayin'

 

I think taking your experience with a single lecturer from a single point in your life and extrapolating across the entirety of the profession involved with GDPR and EU law is . . . a bit of a stretch

 

Maybe you misunderstood me, I am not saying that they have no reason to store that data. I am sure they have a valid and plausible reason to store this data and it is totally legit to do that for that reason. All I am saying is that because they store it, it is a fact that they have to obey the GDPR. That's all I am talking about. And because of that the concerns of my very first post are valid. It is not that they are not allowed to collect data. Of course they can collect data if they have a plausible reason, even if that reason is advertisement. The GDPR does not prohibit data collection. What I am saying is that they have to inform me and offer an easy opt out because it is required by the GDPR.

In short:
Store personal data => Have to obey GDPR => Must offer easy opt out and inform users of data collection in "GDPR-style" (not some cryptic and vague text hidden in EULA).

 

I don't want to diss lawyers but many are technophobes and are terrible at arithmetic and math. Why isn't that what you'd expect from graduates of languages, history, etc.?

The days when lawyers were maths grads (like the famous/celebrated Lord Denning) are long gone. I was the only maths grad in my entire year. (Also the only black person but there are more black people than math grads in law).

Just because they can upload pics to Facebook and can tweet doesn't make them technically able. (My mom can do those things)

Take GDPR: it's been criticised for being overly bureaucratic yet vague. And consider the farce that is patent law...it's the result of the lack of lawmakers with tech backgrounds IMO

 

Just for the record: I don't care.

 

I think the ambition with GDPR is great -> Let people control how their personal data is used and make sure companies who store personal data are liable for any misuse of it.
On the other hand, personal data is integral in our economics today, and many companies are dependent on it. Now it's all in a greyzone, Red Shell being one example: Can that data be used to identify a person?

 

Yeah, TBH most of you will be of absolutely no interest to the US govt. or any other

Soz. Unless you're a hacker or a person of interest like Assange or Snowden, governments will have little interest in surveilling you. (Yes, there is the Cambridge Analytica side of things which isn't so much personal as using personal data like that harvested by Red Shell in Civ VI for political - sometimes illegitimate - gain).

Moderator Action: Political current events removed. Please stay on topic. leif
Please read the forum rules: http://forums.civfanatics.com/showthread.php?t=422889