Jump to content
JJValero Writer

Doubt about the GDPR law and scripts accessing external databases.

Recommended Posts

My doubt is a bit difficult to formulate. First I need to explain which point of the GDPR is the one that confuses me.

GDPR is a European law that prohibits having personal data of users if it is not strictly necessary to maintain this data and requires that they have a strong security so that they do not fall into the wrong hands. Also, there has to be a mechanism whereby any user can request from the company that maintains the database what they know about him. This law not only affects European companies but also companies from outside Europe that have European users. It seems that they are a bit strict and consider personal data such things as IP address and user names.

Initially if a script, for example a voting system or a visitor counter stores names within that script, it would not be breaking that law because the data never comes out of SecondLife.

I remember that a few years ago there was a freebie visit counter that used an external database to remind visitors when was the last visit. I also remember external Name2Key databases to get the UUID of a secondlife user from their name. There are also collective ban systems in such a way that if a user is banned from an island it is also banned from all other islands that use that system. There were also avatars lists to avoid content theft through xploits. For example when anyone wear a stolen copy of QHUD it shouts "This HUD is stolen" and the name of avatar is added in a database.

Those type of external database could be breaching the GDPR, although not necessarily, because it maintains a database with personal data. Apart from that, they should implement a mechanism in such a way that a user can request their personal data and even their deletion.

My question is if instead of storing user names, I do a digest using an algorithm such as MD5 or SHA256 could be enough to avoid falling into illegality. Algorithms such as MD256 create a summary of the data provided. and it is not possible to retrieve the data provided from that summary. According to that, the database would be anonymous so it would be complying with the law.

However, in the event that the database is stolen by a hacker, anyone knowing a name could apply the same algorithm and retrieve private data from a user. This is the reason for my doubt.

Is SHA256 enough?

 

Share this post


Link to post
Share on other sites

IMHO the GDPR does not care if you can identify the RL person behind an avatar. Said avatar is identified as recurring reidentifiable individual by it's name...

Share this post


Link to post
Share on other sites

Do those databases use AVATAR identifiable information, or personal HUMAN identifiable information?

I think that is where the differences come into play, and where questions, or a question, must be asked. Though I won't pretend to know much at all about GDPR, let alone individual interpretations of it, I do believe the fact that AVATAR information is not always(or even mostly) actually able to be connected to HUMAN personally identifiable information, plays a massive role in why some things are not considered violations. It is entirely possible that some avatar information can be linked to a real life identity, but it's even more possible(factual even) that most cannot, and that it is beyond super easy to circumvent methods that DO link avatar identities with real human identities. Does the GDPR recognize avatars, or characters, or whatever other term people might like to use, as real life identities? (that's actually a serious question, because I don't know)

And I could also be entirely way off base...but that's what I understand of it (little as it may be). 

Share this post


Link to post
Share on other sites
1 hour ago, JJValero Writer said:

I also remember external Name2Key databases to get the UUID of a secondlife user from their name.

 

Sorry i wanted to add something here....an avatar's UUID is public information, you don't even need a database to get that information. It's no more a private bit of information than your avatar's name, and I don't believe it ever has been, nor was ever intended to be.  

Share this post


Link to post
Share on other sites

My legal advice, hundreds of AU$ paid to a real lawyer was... Game characters are not covered under GDPR

The responsibility comes to the Lab.

 

Edit: You should of course do the same thing, pay a lawyer and get your own advice. Lawyers love to make money and they are far more certain then forum dwellers - who fall into two camps, both certain they are correct.

 

Edited by Callum Meriman
  • Like 4

Share this post


Link to post
Share on other sites

@JJValero Writer

You appear to have completely misunderstood what GDPR is and what it is not.

Nowhere does it state that holding a database with personal information is illegal!

Quite the opposite in fact, especially where it's for personal use as one example.

GDPR applies to how the data is protected and what the lawful reasons for holding it are and also rights of the data subject.

Shame the other long thread got deleted, looks like we need to buckle up and go for the same ride.

  • Like 2

Share this post


Link to post
Share on other sites

Doesn't matter.  An avatar display name, user name, and UUID are not "personal information." 

Share this post


Link to post
Share on other sites
9 minutes ago, Lindal Kidd said:

Doesn't matter.  An avatar display name, user name, and UUID are not "personal information." 

I repeat from deleted thread...

Caspertech sees that different, and I bet Casper payed internet lawyers for their insights as well...

https://blog.caspertech.co.uk/gdpr-is-coming-and-it-affects-you/

 

Edited by Fionalein
  • Haha 1

Share this post


Link to post
Share on other sites

Some of Casper's (rental) vendors deal with PayPal too don't they?

In those cases he most certainly needs to be careful, he has financial information linked to avatars.

The rest of us, are not dealing with this in real life terms, real life is nowhere near our game characters.

  • Like 3

Share this post


Link to post
Share on other sites

@JJValero Writer

if what you are doing is critical to your RL income then do the same as Casper - err on the side of caution

while we can obtain a legal opinion from a lawyer, that opinion is not the law. The only legal opinion that truly matters is that of the GDPR enforcement agency. It is the agency which initiates legal proceedings that can hurt our RL income badly should the legal opinion we obtained independently turn out to be false

about caution

personally I would not try to end run the legislation if my RL was dependent on an SL business activity

is trival to create a GDPR-compliant LSL script and stick it in a prim at our inworld location

all the script has to do is llRegionSayTo() "Yes" or "No" when a avatar clicks on it

"No" we store nothing about you

"Yes" we have your avatar key, name, ... other details ...
We have your information for these business reasons...

and done

if we don't think or care that any of this matters to our RL income then can go with any opinion, scheme or non-business process, including doing nothing 

Share this post


Link to post
Share on other sites
1 hour ago, Callum Meriman said:

The rest of us, are not dealing with this in real life terms, real life is nowhere near our game characters.

picking up on this

if we are deriving a real world benefit from our SL business activities then I think its a little bit more than a matter of game character relationships. A real world benefit is the USD we can get from converting L$. If we are not converting L$ to USD then yes the game character scenario probably applies

Share this post


Link to post
Share on other sites

Without wanting to rehash the deleted thread, my interpretation broadly agrees with Casper's. Like him, I deal with sensitive information (special category data, in my case), so I am erring on the side of caution. I do also hold actual personal details that are undeniably within the scope of GDPR.

I do know that, once you have decided something might be personal data, making it anonymous is not easy. I think you would be better off asking elsewhere, as it isn't an SL-specific problem.

My suspicion is that you are correct, and hashing is insufficient. I anonymised some survey results by removing direct identifiers, separating out the responses to each question and scrambling the order, so that noone could build up a profile of information on any individual respondent.

 

If the process is reversible at all, even with extra information, it's not anonymised for GDPR purposes.

Share this post


Link to post
Share on other sites

as I said before, I'm not collecting your real information and only collecting, sale amount, what sim you rezzed it in (to apply a id number) and the avatar key (which is public information)  so that's that.

Share this post


Link to post
Share on other sites
9 hours ago, Callum Meriman said:

My legal advice, hundreds of AU$ paid to a real lawyer was... Game characters are not covered under GDPR...

SIlly question: does your Lawyer fully to all extents understand what SL is? Even more than Minecraft  SL is so much more than a "game". You cannot derive person preferences from a MMORPG character's actions as in Warcraft, in SL however that's easy, you shoudl have asked him if your storing your Amazon handle without knowing the real person behind it would be OK instead... might be he would have answered different than for "a game". ;)

Edited by Fionalein
  • Haha 1

Share this post


Link to post
Share on other sites
23 minutes ago, Fionalein said:

SIlly question: does your Lawyer fully to all extents understand what SL is? 

Yep, I am pretty happy with the advice. Storing an amazon handle is tied to financial data. People entering a region... meh. 

 

Edited by Callum Meriman
  • Like 1

Share this post


Link to post
Share on other sites
12 hours ago, JJValero Writer said:

This law not only affects European companies but also companies from outside Europe that have European users.

You are mistaken. The law might say that, I don't know, but EU laws do not apply to countries outside the EU. For instance, the USA cannot make a law that we here in Britain have to abide by. What a country can do is make a law that applies to outside companies IF they have a presence in the country. Foreign customers/users are not a presence. An office in the country is a presence.

Edited by Phil Deakins

Share this post


Link to post
Share on other sites
8 hours ago, ellestones said:

@JJValero Writer

while we can obtain a legal opinion from a lawyer, that opinion is not the law. The only legal opinion that truly matters is that of the GDPR enforcement agency.

Actually, just to be somewhat pedantic, the only legal opinion that truly matters is that of the judge with the final say. Meaning that the opinion of the first judge doesn't count if it goes to appeal.

This is kinda highlighted at the moment by a recent case where the UK Electoral Commission had a legal opinion which the judge ruled against.

https://www.bbc.co.uk/news/uk-politics-45519676

Share this post


Link to post
Share on other sites
2 minutes ago, Callum Meriman said:

It's Déjà vu all over again

Why was the other thread deleted?

Because not everyone in the forums is a Rhinoceros

  • Haha 2

Share this post


Link to post
Share on other sites
55 minutes ago, Bradford Mint said:

Actually, just to be somewhat pedantic, the only legal opinion that truly matters is that of the judge with the final say. Meaning that the opinion of the first judge doesn't count if it goes to appeal.

This is kinda highlighted at the moment by a recent case where the UK Electoral Commission had a legal opinion which the judge ruled against.

https://www.bbc.co.uk/news/uk-politics-45519676

true that the courts have the final say. What ruins our RL is the fact that we have been prosecuted. A prosecution brought by the enforcement agency according to their legal opinion. We may eventually be vindicated by the courts, assuming that the enforcement agency doesn't appeal the rulings all the way to the end

personally I wouldn't gamble on any of this if my RL income was at stake. Not when compliance is a simple LSL script away. We can always get all philosophical tho when we have little to zero at stake, or when is some other person's money we are philosophically gambling with

some people on here have thought about what this might mean for them, and have just gone meh! Which I think is a pretty good response, philosophically speaking

 

Share this post


Link to post
Share on other sites

So just to put some of this into perspective of what's perceived to be a problem and the likely outcome, i'll share some recent fun around some requests for personal data from large, highly "credible" organisations (I use that term loosely depending on your point of view but each of them is a well known organisation.  I'll keep them brief but you'll see where this goes:-

A previous employer - "we don't hold any personal data beyond 7 years". I pushed hard and magically they came back with my employment details, entire record and banking details from over 10 years ago. I asked them to delete it all as they had no lawful need to keep it. Ah bit of a problem there because it's all archived in the same dataset as others and they can't delete individual records (write only media).  What am I going to do, cry boohoo to the Information Commissioner?

A parking provider - "we have no data". I pushed on this one, they  magically came back with a bunch of data, CCTV, locations of vehicles etc.  "Delete it all" I said, it's of no use to you.  They said they had. I asked for proof, they said they didn't need to provide any.  What am I going to do, cry boohoo to the Information Commissioner? Besides, i'll be back in those car parks and the cars will be recorded again so back to square one.

An insurance provider - These guys were really good, 8/10 on the GDPR SAR response scale, immediately understood my deliberately vague request, came back with all the data.  "Delete it all" I said, I have no contract with you anymore and haven't had for 3 years. They said "no way, we're keeping it for 8 years just in case!". What am I going to do, cry boohoo to the Information Commissioner?

A major airline - Hopeless, 2 hours trying to get an agent in a call centre to first of all understand that they really do have databases other than the flight booking one. Eventually, I got the data haul by going through obtuse channels but it was late, far beyond the 30 days they're permitted.  What I am going to do, cry boohoo to the Information Commissioner?  In this case they said that the I.C. was already aware but then they were rather busy as they had already had to fess up to a breach of 380,000 customers credit card details a week ago.

In perspective, given the above, lets just consider for one moment the likely response from the Information Commissioner when presented with the following:-

Complainant: *sobs* "I think someone who I don't know, in a game, just might have logged my avatar name and public UUID and *sniffs* it's not fair, I want something done!"

Information Commissioner to their office buddy: "Bob, pass me the "Petty Complaints" file again would you please?" and responds back "thanks for your report" *closes file*

Now i'm not suggesting that the issue isn't potentially genuine but in terms of traction with regard to potential penalties, most of these concerns are up there with complaints to the police about people in the street looking at them in a strange way.

Now, on the other hand, if said database holds SL AND RL data and sensitive PII pertaining to religous and sexual traits which is then breached and releases the entire SL database to the internet, that may get more than a raised eyebrow.

But....then if the database is only for personal use, it falls outside the remit of GDPR anyway so *slam dunk* end of thread.

Thanks, you're welcome!

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×