DragonPrime - LoGD Resource Community

Game Administration, Installation and Configuration => Game Administration Chat => Topic started by: Nightborn on December 26, 2017, 04:42:11 AM



Title: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: Nightborn on December 26, 2017, 04:42:11 AM
Hi folks,

this small big bonker will hit us all: https://www.eugdpr.org/

It's about a users rights regarding the personal data we store. That "personal" is relatively broad, in Lotgd it hinges up on IP, email and ID (cookie) if I am not missing anything.

If you have a US server and say "baah, it's EU, not my turf", you're only safe if you *actively block people from the EU to register/play* ... so I guess not.

Facebook and all the other big ones have updated or are updating their services to reflect the following (main) points:
* Users have transparent view on what is saved
* Users may excert their right "to forget" (aka complete and irreversible deletion of their private data)
* Servers are only allowed to save personal data on a "minimum needed" basis
* Servers may not use any personal data for other services or offers they provide without a optional (aka not required for the main service) data privacy agreement

There is a lot more to it, but it does apply to "free services" and I think Lotgd servers are not "purely personal" as we allow any users to register.

You *could* circumvent this if you disable registering and only play with friends.
But alas, also a No.

So...what is needed for Lotgd to be able to work with that regulation after the deadline in May 2018 (after that you may be reported to a local authority which will issue fines, *big* fines)?

I so far have isolated:
* you need to provide users a download of "all personal data", which implies petitions and mails (in them they could have issued personal data) as well as bio stuff. Anything they may have entered personal data.
* you need to make transparent what you keep and how long
* you need to remove upong request (automatically, not a long manual process) all personal data (for backups: you need a script that deletes any "forget me!"-guys directly after. else you violate the agreement)
  (this is particularly interesting for the char restorer, for which you'd need an optional agreement to keep or you have to delete those after expiration too, making it useless)

Footnote:
I am in charge of this at my company, this is why I wanted to let you know. It's not trivial.


Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: Anharat on December 26, 2017, 12:20:23 PM
Had this topic at work as well, but did not get into it yet.  Thanks a lot for sharing those "isolated" information and I hope you keep this updated.


Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: Stephen.Kise on December 26, 2017, 05:03:46 PM
Wouldn't the simple solution to this be:
* Require consent for any user on the creation screen, to notify players that their email, IP, and cookies are analyzed for operation of the server.
* Place information about that consent in the logged-in section of the game (Since they need to be able to view their rights again at any time).
* Access to all data for that account (mail to and from a certain user, a user's petition data, and character/preference data) upon request.
* Delete email, ipaddress, uniqueid, mail, petitions and other personal data from character restore sheets, or delete the entire sheet itself if requested.

If the user does not agree to all terms, you should just delete the account and not allow the player to join. My only concern about the topic is transferring data, and the right of erasure. If a player says "Forget me" you have to delete all character, mail, and petition backups of an account from every backup. That, or I am just not understanding the language on that site. This is particularly nasty if you have a backup system in place for both files and SQL data that run daily.


Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: TGTarheel on December 26, 2017, 09:03:42 PM
Would this apply ONLY to EU users registering after this takes effect, or would it also be retroactive to existing EU users?

If so, could anyone develop a module that would handle this...so that user info could be completely deleted on request?

I am not sure how you handle this...


Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: Stephen.Kise on December 26, 2017, 10:57:32 PM
Would this apply ONLY to EU users registering after this takes effect, or would it also be retroactive to existing EU users?

If so, could anyone develop a module that would handle this...so that user info could be completely deleted on request?

I am not sure how you handle this...

It would be more than likely an update or fork of the current character restore module, since that is what handles most storage on most servers. That would only require a few more hooks, theoretically, and would not be much of a change to the module. However, I would have to look into the language of the GDPR more to be 100% certain.


Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: Nightborn on December 27, 2017, 12:31:11 AM
All to my current knowledge:

@
Quote
Would this apply ONLY to EU users registering after this takes effect, or would it also be retroactive to existing EU users?

Retroactive, to all after May 25th.

@
Quote
If a player says "Forget me" you have to delete all character, mail, and petition backups of an account from every backup. That, or I am just not understanding the language on that site. This is particularly nasty if you have a backup system in place for both files and SQL data that run daily.
The standing there is "if you have such a backup, you have to automatically(!) make sure all please-forget-me-people are erased after restoral and before putting data live or for analysis".
That should be done in a process, as backup restorals are in 99% manual actions and not automatic ones.
I think a script will suffice that deletes all data based on acctid (which you may log, because the ID holds no personal data. you may not hold email adresses of people who wanted to be forgotten).

I am writing a module that handles the "give me my data" (=puts mails,petitions,village chats etc. in a text file for download) and the erase-me-please which also will store a list of acctids and the date when it was requested. Upon that, you could base a script that deletes any forget-me upon a database restoral.
It would also check the charrestore guys and delete files there. But, alas, that would also need to be in a script if you have a file backup.


Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: Nightborn on December 27, 2017, 09:20:05 AM
I think I have the charrestore ready now.

Issue is the stored email, but a hash serves as well for people to claim ownership. You can restore the char and then manually replace the mail if the token matches.

* replaced emailaddress with a sha512 hash (varchar128 in the db is exactly right)
* added a salt as setting (FILL BEFORE HASHING!)
* added a mail notification when a char is deleted/expires and is stored.
* added a convert function for legacy stuff. it will convert all your old chars and put the hash in

DISCLAIMER:
Somebody with an untouched 1.1.2 dp edition could edit it please, I think I built a few things in (replaceemail?) in core that don't exist.
I have also changed some stuff in the charrestore (I believe I added the mail search in the first place).
Please BACKUP and then TEST.


Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: TGTarheel on December 27, 2017, 12:08:47 PM
All to my current knowledge:

@
Quote
Would this apply ONLY to EU users registering after this takes effect, or would it also be retroactive to existing EU users?

Retroactive, to all after May 25th.

@
Quote
If a player says "Forget me" you have to delete all character, mail, and petition backups of an account from every backup. That, or I am just not understanding the language on that site. This is particularly nasty if you have a backup system in place for both files and SQL data that run daily.
The standing there is "if you have such a backup, you have to automatically(!) make sure all please-forget-me-people are erased after restoral and before putting data live or for analysis".
That should be done in a process, as backup restorals are in 99% manual actions and not automatic ones.
I think a script will suffice that deletes all data based on acctid (which you may log, because the ID holds no personal data. you may not hold email adresses of people who wanted to be forgotten).

I am writing a module that handles the "give me my data" (=puts mails,petitions,village chats etc. in a text file for download) and the erase-me-please which also will store a list of acctids and the date when it was requested. Upon that, you could base a script that deletes any forget-me upon a database restoral.
It would also check the charrestore guys and delete files there. But, alas, that would also need to be in a script if you have a file backup.

Excellent.

Meanwhile, one could comply with such requests by manually erasing it from the database...right??


Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: Nightborn on December 27, 2017, 12:12:50 PM
It states there he procedure must be "automatically" if I remember correctly.
So... no.
You have to have it in the software.

If you save the data one moment longer than necessary, you're technically breaking the regulation (hence I did put that into the module)


Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: TGTarheel on December 27, 2017, 04:25:09 PM
It states there he procedure must be "automatically" if I remember correctly.
So... no.
You have to have it in the software.

If you save the data one moment longer than necessary, you're technically breaking the regulation (hence I did put that into the module)

Well, then.  Until and if I could get that working...is there a way to have EU players either state that they do not wish to invoke that right...at least till I get it working...or would I need to not accept new players from EU?

I sorta doubt the EU cops would be real huge in going after a two-bit game operator that doesn't have a pot to pee in and is in America anyway, but, all the same, the law is the law, and I need to know how I can comply...I am assuming your moduie, Nightborn....won't work with 1.1.0 that I am running?

I am NOT ready for an upgrade yet.


Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: Stephen.Kise on December 28, 2017, 09:36:03 AM
It states there he procedure must be "automatically" if I remember correctly.
So... no.
You have to have it in the software.

If you save the data one moment longer than necessary, you're technically breaking the regulation (hence I did put that into the module)

Well, then.  Until and if I could get that working...is there a way to have EU players either state that they do not wish to invoke that right...at least till I get it working...or would I need to not accept new players from EU?

I sorta doubt the EU cops would be real huge in going after a two-bit game operator that doesn't have a pot to pee in and is in America anyway, but, all the same, the law is the law, and I need to know how I can comply...I am assuming your moduie, Nightborn....won't work with 1.1.0 that I am running?

I am NOT ready for an upgrade yet.

The regulation will probably not be policed heavily here in the US, but if there is a leak of data and the source is discovered to have come from your server, then they would have an issue. This regulation is to make server owners more aware of the risks that they put people in when the source of their application is not secure. So no, you will not have an agent knocking on your door come April 2018, but it is just a lot safer to follow regulation and comply with the laws that protect us. I know it is frustrating for you in this instance - it's even a tad bit annoying for me - but it needs done. Perhaps you could create a backup of your character restore module, replace it with this, and test it out for 1.1.0. If there are any issues with NightBorn's character restore on 1.1.0, you could post here and a solution will be found quickly.


Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: Nightborn on December 29, 2017, 03:33:36 AM
Stephen.Kise did explain the issue well.

Quote
Well, then.  Until and if I could get that working...is there a way to have EU players either state that they do not wish to invoke that right...at least till I get it working...or would I need to not accept new players from EU?

You would need to block the EU completely on IP basis. So yes, it would affect current players. There is no legacy clause.

Quote
I sorta doubt the EU cops would be real huge in going after a two-bit game operator that doesn't have a pot to pee in and is in America anyway, but, all the same, the law is the law, and I need to know how I can comply...I am assuming your moduie, Nightborn....won't work with 1.1.0 that I am running?
Not out of the box, I would assume. I think a few things are only needed in my edited version, so you'd need to strip that out.
Assembly required.

Quote
I am NOT ready for an upgrade yet.
The GDPR was finalized and went "live" in 2016. Most people (like me) wait(ed) the 2 years grace period until it had the fines live.

It doesn't matter if you're ready, technically except for an IP block, this is coming.
It also affects any form of service (forums, wikis, etc) you provide where people can make accounts.
I horribly saw in my forum birthdays are also saved (because, why not). So I have to fix that too. Either just disallow or I have to manually clean up.

Not that funnily also DP itself is affected. :P I believe Talisman does backups (or their hoster), so you need the "forget me" function.
in SMF, to my knowledge, there is no such thing yet out-of-the-box.


Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: TGTarheel on December 31, 2017, 03:07:57 AM
So what things would be needed for 1.1.0 in your edited version, do you think, Nightborn?  What parts currently would not work, then let me see if I can use my minimal coding skills to work around it?


Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: Nightborn on December 31, 2017, 03:30:55 AM
Run it on a test server and see what pops up :)
I think minor changes in the sql statements really.


Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: TGTarheel on December 31, 2017, 05:18:57 AM
Run it on a test server and see what pops up :)
I think minor changes in the sql statements really.

I wish I had a test server....


Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: Nightborn on December 31, 2017, 07:36:39 AM
First thing:
Setup a test server.
(Like I told in the other thread, with xampp or another suite).
Virtualbox is free and you need the knowledge to run a decent lotgd site.
I know, a lot of trouble... but... you're a service provider now =)

@"right to be forgotten"

I think the best way is to use stored procedures.
They can trigger automatically if needed and will be carried in the database directly.
I will use a new table "accounts_never_restore" to reflect the account ids.


Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: TGTarheel on December 31, 2017, 12:22:55 PM
Just as an aside to this....would removing the Character Restorer....also solve the problem to then be in compliance with the new EU law??


Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: Aeolus on December 31, 2017, 05:43:27 PM
Just as an aside to this....would removing the Character Restorer....also solve the problem to then be in compliance with the new EU law??

For this particular module, yes, as long as you uninstall the module and delete any existing restore files.

It does not, however, mean that you no longer have to update your core with the required changes to be compliant as well. (> inb4 we know you hate core updates.)


Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: TGTarheel on December 31, 2017, 10:26:24 PM
Just as an aside to this....would removing the Character Restorer....also solve the problem to then be in compliance with the new EU law??

For this particular module, yes, as long as you uninstall the module and delete any existing restore files.

It does not, however, mean that you no longer have to update your core with the required changes to be compliant as well. (> inb4 we know you hate core updates.)

What required changes?  This is what I am trying to learn.  Don't feel like having someone knock on my door, LOL.


Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: Nightborn on January 01, 2018, 09:04:26 AM
You need to i.e. have the function to "forget" a user and remove the mail address from you db - this does lotgd if you allow (which you now must) user deletion by user.

BUT

You then have to have the "right to forget"-stuff, which means you need to have (this is my theory and solution) a list of account-ids of those who did that.
IF you have server backups / database backups (which is strongly recommended) you have to have a function to filter the ones out that said "forget me".

I solved this with mysql triggers for now (check a table accounts_never_restore and then delete all accounts with those IDs if they exist).
I still need the function for the user to trigger this. Point is: if somebody throws a fit and hits the button... that's it. No recovery. Gone. Forever.
A lot of users want a restoral after fits. :D


Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: TGTarheel on January 01, 2018, 09:53:05 AM
You need to i.e. have the function to "forget" a user and remove the mail address from you db - this does lotgd if you allow (which you now must) user deletion by user.

BUT

You then have to have the "right to forget"-stuff, which means you need to have (this is my theory and solution) a list of account-ids of those who did that.
IF you have server backups / database backups (which is strongly recommended) you have to have a function to filter the ones out that said "forget me".

I solved this with mysql triggers for now (check a table accounts_never_restore and then delete all accounts with those IDs if they exist).
I still need the function for the user to trigger this. Point is: if somebody throws a fit and hits the button... that's it. No recovery. Gone. Forever.
A lot of users want a restoral after fits. :D
Then you could have a warning pop up when someone hits the button....similar to how you can back out one time if you choose the wrong specialty after a DK, right?

Have the first push of the button bring up the warning....and then have a back up and a proceed button.

Where all in the data base is the account info stored?

It would seem to me that character deletion, coupled with not making them retreivable by way of the character restorer...would work.  Is there something else I am missing?


Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: TGTarheel on January 01, 2018, 01:54:16 PM
OK, so I downloaded VirtualBox on my machine, but i am honest, i do not know what exactly to do with it...

I have never worked with stuff like this before.  Can anyone help me just get an LOTGD 1.1.2 set up on this thing?


Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: Nightborn on January 04, 2018, 10:54:39 AM
@account deletion
yes, you need to have something so it will be wiped when you restore stuff from a backup.
or you never do backups... well, that solves it too.

@virtualbox
very very lengthy thing if you do this the first time.
there are guides:
http://www.thelinuxdaily.com/2010/02/how-to-setup-a-pre-built-virtualbox-guest-image-tutorialguide/
i.e.



Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: TGTarheel on January 04, 2018, 11:01:43 PM
@account deletion
yes, you need to have something so it will be wiped when you restore stuff from a backup.
or you never do backups... well, that solves it too.

@virtualbox
very very lengthy thing if you do this the first time.
there are guides:
http://www.thelinuxdaily.com/2010/02/how-to-setup-a-pre-built-virtualbox-guest-image-tutorialguide/
i.e.



Thank you.  This is the sort of guide that actually helps me, printed instructions with pictures that stay still and I can look and read as long as I need.  I hate youtube "tutorials" they always go too fast.

But...this has you setting up a Linux Machine....is it on THIS that you then create an LOTGD server...or how does this part work, actually?

Sincerely never actually did this before, my site was set up by a friend who knows a ton more about computer stuff than I do...LOL

By the way, might be a good idea to split this part of the topic off, as it has nothing to do with the OP.


Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: Nightborn on January 07, 2018, 02:46:25 PM
Quick response in here:

Mhm, platform overview (I think you're using webspace).

You know:
webserver/webspace <-- FTP to get on it and drop files
database <-- you go to a phpmadmin and import/export, right?
domain <-- you do a setup on a web frontend for that

that's the foundation you will build in a virtualbox. it will provide above, though you may need to install the necessary software and do a bit of configuration.
Most should be installed, but I'll mention the software
webspace <-- install apache2 to provide a webserver, put your files in /var/www/html
database <--- install mysql and phpmyadmin (best as an ubuntu package via APT or if you downloaded a desktop ubuntu, from the desktop, package management)
domain <-- you have none, but you should be able to work on IP basis (virtualbox assigns a net)

Yes, it's a lot if you've never done things like it, but it's really helpful. :D


Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: TGTarheel on January 09, 2018, 08:16:52 PM
Quick response in here:

Mhm, platform overview (I think you're using webspace).

You know:
webserver/webspace <-- FTP to get on it and drop files
database <-- you go to a phpmadmin and import/export, right?
domain <-- you do a setup on a web frontend for that

that's the foundation you will build in a virtualbox. it will provide above, though you may need to install the necessary software and do a bit of configuration.
Most should be installed, but I'll mention the software
webspace <-- install apache2 to provide a webserver, put your files in /var/www/html
database <--- install mysql and phpmyadmin (best as an ubuntu package via APT or if you downloaded a desktop ubuntu, from the desktop, package management)
domain <-- you have none, but you should be able to work on IP basis (virtualbox assigns a net)

Yes, it's a lot if you've never done things like it, but it's really helpful. :D

I managed to get a test server going in XAMPP.
The problem I had had before with it was that I needed an older version of XAMPP, the one I was trying to use came with PHP 7 and LOTGD 1.1.2 won't work on PHP 7.

So the one I got now has PHP 5.6


Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: TGTarheel on January 14, 2018, 02:21:19 PM
I think I have the charrestore ready now.

Issue is the stored email, but a hash serves as well for people to claim ownership. You can restore the char and then manually replace the mail if the token matches.

* replaced emailaddress with a sha512 hash (varchar128 in the db is exactly right)
* added a salt as setting (FILL BEFORE HASHING!)
* added a mail notification when a char is deleted/expires and is stored.
* added a convert function for legacy stuff. it will convert all your old chars and put the hash in

DISCLAIMER:
Somebody with an untouched 1.1.2 dp edition could edit it please, I think I built a few things in (replaceemail?) in core that don't exist.
I have also changed some stuff in the charrestore (I believe I added the mail search in the first place).
Please BACKUP and then TEST.


I have an untouched 1.1.2 DP version running now in XAMPP.

I will try it out thoroughly for you...please tell me everything you want tested.


Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: Nightborn on January 28, 2018, 04:57:07 AM
You can try to get the module working :)

Mostly try deleting or expiring a char, then it should be in the save directoy on the file system. It should now feature a sha1-hashed email.

If it doesn't generate a character copy, something might be not working.

I've had no time to work on the module - busy at work atm.


Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: TGTarheel on January 28, 2018, 09:09:44 AM
You can try to get the module working :)

Mostly try deleting or expiring a char, then it should be in the save directoy on the file system. It should now feature a sha1-hashed email.

If it doesn't generate a character copy, something might be not working.

I've had no time to work on the module - busy at work atm.


OK.  Is this like the old one, where you have to have gotten at least 5 dragon kills before it will have saved anything?

Let me know.  Then I could test it for you.


Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: Nightborn on February 04, 2018, 12:49:01 AM
I think I attached it in this thread "charrestore".
But I fixed minor things, mostly a search bug which did not show any chars saved if you leave the email address.

The very same actually, just minor modifications.

It works on my site well, I already restored a few.
And I like it  better w/o user email - you don't have to dally around "I can't tell you what email that char was made", because you simply don't know anymore :D


Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: TGTarheel on February 04, 2018, 05:30:55 PM
I think I attached it in this thread "charrestore".
But I fixed minor things, mostly a search bug which did not show any chars saved if you leave the email address.

The very same actually, just minor modifications.

It works on my site well, I already restored a few.
And I like it  better w/o user email - you don't have to dally around "I can't tell you what email that char was made", because you simply don't know anymore :D

So should I now use this one you just attached...or the one I was using?  The first one you posted?


Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: Nightborn on March 26, 2018, 09:42:31 AM
The last one :P

I'll make hopefully the last stuff on easter.

I updated my lotgd install to 16.04 with php7 + myslq 5.7.
Not a lot of fun though.

I had double-encoded utf8 strings in my db -_- now it's all fixed.


Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: Nightborn on May 20, 2018, 09:38:25 AM
Well, busy on the last couple of days.

I used the "creationaddon" to show my privacy policy statements, but it has one drawback: it *only* confirms them on creation(hence the name), and it has no way to do so afterwards. I had to expand that function, and also add a date as to when the privacy was accepted.
If somebody needs it, I will attach it.

here is the last version of the gdpr extension (=manages only the data export for the user and the 100% safe deletion and no restoral - if you push the mysql functions in you have to execute after you pushed the data in, but that can be set automatically if you need to).

Due to the fact that it's not install-and-done, but needs mysql adaptions, I apologize.
The mysql stuff has to be done in the db, which is something not being able to easily put into a module (no synctable for functions).

EDIT: Just as a summary, you need(!) a privacy statement accessible like an imprint on any page, it has to declare a lot of things. That's mandatory. Mine: https://shinobilegends.com/gdpr/SL%20Data%20Privacy%20Agreement%20and%20Transparency%20Report.pdf (https://shinobilegends.com/gdpr/SL%20Data%20Privacy%20Agreement%20and%20Transparency%20Report.pdf)


Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: TGTarheel on May 27, 2018, 09:15:42 AM
Well, busy on the last couple of days.

I used the "creationaddon" to show my privacy policy statements, but it has one drawback: it *only* confirms them on creation(hence the name), and it has no way to do so afterwards. I had to expand that function, and also add a date as to when the privacy was accepted.
If somebody needs it, I will attach it.

here is the last version of the gdpr extension (=manages only the data export for the user and the 100% safe deletion and no restoral - if you push the mysql functions in you have to execute after you pushed the data in, but that can be set automatically if you need to).

Due to the fact that it's not install-and-done, but needs mysql adaptions, I apologize.
The mysql stuff has to be done in the db, which is something not being able to easily put into a module (no synctable for functions).

EDIT: Just as a summary, you need(!) a privacy statement accessible like an imprint on any page, it has to declare a lot of things. That's mandatory. Mine: https://shinobilegends.com/gdpr/SL%20Data%20Privacy%20Agreement%20and%20Transparency%20Report.pdf (https://shinobilegends.com/gdpr/SL%20Data%20Privacy%20Agreement%20and%20Transparency%20Report.pdf)

Or just don't allow character restore, yes??

Seems like this is just too much work.  Seriously.

I believe I simply am just not gonna allow restore...that way, when someone deletes or is deleted they are just gone.  I will put a note in the character deletion that states character will not be able to be restored and a confirm button...and have the note explain it is due to new laws in the EU.

To hell with it.  Not worth the risk of getting into trouble.


Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: Aeolus on May 28, 2018, 01:46:47 AM
Or just don't allow character restore, yes??

Seems like this is just too much work.  Seriously.

I believe I simply am just not gonna allow restore...that way, when someone deletes or is deleted they are just gone.  I will put a note in the character deletion that states character will not be able to be restored and a confirm button...and have the note explain it is due to new laws in the EU.

To hell with it.  Not worth the risk of getting into trouble.

Good on you. We'll keep up with our own choices.


Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: TGTarheel on May 28, 2018, 11:03:59 AM
Just as a thought...would there NOT...be a way, within the Character Restorer itself...to have a user-settable pref...that would allow the restorer to fire on deletion (retaining data or not) based on user pref?

And have it default set to OFF...allowing players to OPT-IN? and if that pref is there, THEN the data is retained...otherwise lost.  Would that not be easier??  And accomplish the same thing??

Just saying!!

(As we all know, "OPT-OUT" is the American way...and OPT-IN in the EU way.  I wish, in this case, America would be a lot more like the EU...and we would go OPT-IN instead of OPT-OUT)


Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: pharis on May 29, 2018, 06:40:38 AM
I found this to be the easiest way to get out of the line of fire as far as cookies go :

https://www.cookiebot.com/en/pricing/

Take the free option as it covers one domain free of charge.
You can set it up within minutes.
 


Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: TGTarheel on May 29, 2018, 09:31:24 PM
I found this to be the easiest way to get out of the line of fire as far as cookies go :

https://www.cookiebot.com/en/pricing/

Take the free option as it covers one domain free of charge.
You can set it up within minutes.
 

But if you are not doing character restoration at all...do you need this?

Again, not sure why a user-settable pref can't be added to the Restorer...set default OFF, so that one must OPT-IN...to allow Restoration t happen at all.  The pref can be changed by user ONLY when they attempt to delete.

Then have a confirm step added in the user-originated deletion.  It checks the pref and informs the player of the status.

if the pref is set "off" as is default:

According to GDPR laws enacted in the EU, we are required to inform you that you must OPT-IN to allow for possible character restoration at a alter date.  Right now, this option is turned off, meaning all your personal data will be destroyed and unrecoverable.  Do you wish to delete...or do you wish first to change this option?

And then they have to pick.  If no...the chacter is deleted and no data stored.  if yes...then the pref is set Yes...and we go back to the confirm screen...

if the pref is set YES - since player just set it so....

You are about to delete your character.  In accordance with GDPR laws in the EU, we are required to inform you that your data will be stored for the purposes of restoring this character at a later date should you so choose.  Should you not wish your data to be retained, we will not be able to restore this character at any time.  You may choose to have your data forgotten....or go ahead with deletion, with data retained for the purpose of recreating the character.

And have a confirm nav that they could either re-set the pref to NO...and back to the landing screen...or YES...and character deleted with data retained.

In this way, you are informing them that their data is stored...for what purpose...and giving them an option to not have it stored...and explaining the consequences of that choice.

Obviously...if there is an Admin-generated delete..then the Restorer would be set to automatically wipe out any data....because likely you do not want that player to come back, anyway.

Just seems like what I have in mind would serve the purpose of what we are doing here.

By the way...add something that...if they choose to abort the delete...and not delete the character...the pref gets set back to NO SAVE.

This way it automatically is no save...unless user specifically says save JUST BEFORE DELETION.

And an Admin-generated delete would happen with the pref already set at NO SAVE as that is the permanent default.

Thus the Restorer only fires after the player has been informed that it will...and for what purpose...and gives them the right to opt-IN to have it saved.  Thus, implied consent.

I am not a lawyer or anything, but it seems this would be sufficient for what we are doing here...just a little RPG...right??


Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: pharis on May 30, 2018, 10:43:41 AM
I agree with you on everything.
I meant „as far as cookies go“ and not anything lotgd specific.

But keep in mind that as soon as you have a cookie set or a session started , and that often happens a lot ( like say a paypal donation button that could have a tracker ), you are already in the line of fire. Its really that simple. I am located in switzerland where technically you are not in the EU, and yet a lawyer we had to hire to check the status of the pages of our small company, urged us to put a thorough privacy disclaimer ( on every cookie and why its needed , etc.. ) on every page, even if technically they were public pages.

Its not about your page not being compliant with the gdpr, its about putting your ass in safety if there is a moron that decides to sue you from within europe if he thinks your disclaimer is not good enough. And since you never know when some shit in your page sets a new cookie that is not declared, you might be subject to have to prove that you handle data correctly by the authorities.

Its a freaking nightmare and no one knows whats gonna happen . People now start realizing that their simple pages are collecting data through their plugins.

Its a great time for lawyers and ppl that want to sue others. If someone does not like your site, he / she just has to create an account, and mess with you. Its completely irrelevant if it is a game or a wordpress site.


Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: TGTarheel on May 30, 2018, 10:01:23 PM
I agree with you on everything.
I meant as far as cookies go and not anything lotgd specific.

But keep in mind that as soon as you have a cookie set or a session started , and that often happens a lot ( like say a paypal donation button that could have a tracker ), you are already in the line of fire. Its really that simple. I am located in switzerland where technically you are not in the EU, and yet a lawyer we had to hire to check the status of the pages of our small company, urged us to put a thorough privacy disclaimer ( on every cookie and why its needed , etc.. ) on every page, even if technically they were public pages.

Its not about your page not being compliant with the gdpr, its about putting your ass in safety if there is a moron that decides to sue you from within europe if he thinks your disclaimer is not good enough. And since you never know when some shit in your page sets a new cookie that is not declared, you might be subject to have to prove that you handle data correctly by the authorities.

Its a freaking nightmare and no one knows whats gonna happen . People now start realizing that their simple pages are collecting data through their plugins.

Its a great time for lawyers and ppl that want to sue others. If someone does not like your site, he / she just has to create an account, and mess with you. Its completely irrelevant if it is a game or a wordpress site.


But if PayPal is collecting the info...isn't that PayPal's problem and not mine?

If I and my actual site are not collecting the data??

I think a disclaimer at character creation stating that you agree to hold harmless the operators of this site...could be a good idea.


Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: Aeolus on May 30, 2018, 11:19:34 PM
You use cookies, therefore you collect data. FK, for reference, uses a privacy policy.


Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: TGTarheel on May 31, 2018, 12:01:46 AM
You use cookies, therefore you collect data. FK, for reference, uses a privacy policy.

Must have a look.  Does your privacy policy (I assume you mean a disclaimer statement) actually serve to keep you from trouble with this new law?

I see your front page discloses that you have cookies.

Is that actually good enough?

Wondering if an agreement, at charactger creation that says, creating a character here means that you, the user, agree to hold harmless under any EU laws concerning data privacy.

We have external links that do use cookies, as does this site.  This game is not playable without them.

Data gathered is used only for the purposes of this game and is not disseminated or sold to any third party.

Something along those lines....

I am just trying to figure a way to make sure that there is "implied consent" - I will still, of course, do everything possible to be in full compliance...among them, either not using the character restorer...or allowing the pref I mention above if I do...but I am just looking to cover any possible cracks in this.


So far, I have added the following code to my creation page, beginning at line 102 in create.php
Code:
page_header("Create A Character");
if (getsetting("allowcreation",1)==0){
output("`\$Creation of new accounts is disabled on this server.");
output("You may try it again another day or contact an administrator.");
}else{
if ($op=="create"){
rawoutput("<big>");
output("`#Notice to all players residing in the European Union (EU):  Due to the new GDPR laws concerning Data Privacy enacted in the EU, creation of a character on this site gives site operators");
output(" implied consent to store and use your data for the purposes of gameplay on this site.  This site does use cookies and has links to third-party sites.  While the site operators will");
output(" do everything reasonable to protect the personal data of players, and will, on request, delete a character along with all personal data, `n`n`^creation of a character on this site");
output(" constitutes implied consent to store such data for the purposes of, and in the manner above described.  `n`n`QAny user of this site agrees to hold harmless from any and all liability");
output(" under the GDPR laws of the EU, or any similar laws in the jurisdiction in which the user may reside.");
rawoutput("</big>");
addnav("`b`^Agree and Continue`b","create.php?op=create2");
addnav("`b`QDo Not Agree`b","home.php");
page_footer();
}
if ($op=="create2"){
attached file is how it looks on my site.

If they do not agree, it aborts character creation and takes them back to the home screen.






Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: Stephen.Kise on May 31, 2018, 01:10:41 AM
You use cookies, therefore you collect data. FK, for reference, uses a privacy policy.

Must have a look.  Does your privacy policy (I assume you mean a disclaimer statement) actually serve to keep you from trouble with this new law?
Privacy policies are required by law. So in a way, yes, they do keep you out of trouble.

I see your front page discloses that you have cookies.

Is that actually good enough?

Wondering if an agreement, at charactger creation that says, creating a character here means that you, the user, agree to hold harmless under any EU laws concerning data privacy.

We have external links that do use cookies, as does this site.  This game is not playable without them.

Data gathered is used only for the purposes of this game and is not disseminated or sold to any third party.

Something along those lines....
That's essentially what the new legislation requires.


Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: TGTarheel on May 31, 2018, 01:20:02 AM
You use cookies, therefore you collect data. FK, for reference, uses a privacy policy.

Must have a look.  Does your privacy policy (I assume you mean a disclaimer statement) actually serve to keep you from trouble with this new law?
Privacy policies are required by law. So in a way, yes, they do keep you out of trouble.

I see your front page discloses that you have cookies.

Is that actually good enough?

Wondering if an agreement, at charactger creation that says, creating a character here means that you, the user, agree to hold harmless under any EU laws concerning data privacy.

We have external links that do use cookies, as does this site.  This game is not playable without them.

Data gathered is used only for the purposes of this game and is not disseminated or sold to any third party.

Something along those lines....
That's essentially what the new legislation requires.

Good deal.
I have added, as indicated, a step to my character creation screen.  It functions as I intended, and a screenshot is available in my post above.

Additionally, since players may already exist, I have posted an MOTD about it.  I also added a line to the home screen informing players residing in the EU to read that MOTD.

The MOTD outlines all of this and states that if any player in the EU does not agree with this, for any reason, to immediately contact site Admin for character deletion, along with deletion of all personal data as is maintained by my site.


Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: pharis on May 31, 2018, 10:44:57 AM
@tgtarheel :what is your page again ?


Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: TGTarheel on May 31, 2018, 04:51:23 PM
@tgtarheel :what is your page again ?

The live site can be found at www.kalisiin.com

I am currently developing a new site, which runs the 1.1.2 server, that one will be called Rise of the Kujitai, and is set some 600 years in the future of the current realm...and it is a time of civil war...a civil war of not two, but THREE different factions.  The other site is nearly ready for live BETA testing.


Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: pharis on June 01, 2018, 04:49:01 AM
As far as i can see, you have two cookies set :

   -   PHPSESSION   -> obvious reasons
   -   lgi       -> dont know what this one does ( maybe someone can help here )

You should declare the use of those two cookies ( what they do and why they are needed for the game to work )
basically the one for the PHPSESSION is needed for state ( so that the user keeps his information when he switches pages )
and the other called "lgi" is unknown to me, not sure what that one does .. you should check this out.. if it is needed at all

Add a bottom bar ( or top ) where you warn anyone that the page uses those two specific cookies ( there are plugins for that and they are free ). This is annoying , but should be present at least in the front page

Create a page in the SAME domain that states what you do with the entered data from your users in general ( basically a PRIVACY POLICY )

When the user LOGS in , you should have a notice ( a small one ) that states that by logging in he/she agrees to the PRIVACY POLICY , and you should add a link to that page too. Try to do this in a non intrusive but clearly noticeable way. Do not use popups as they are often blocked, maybe in MOTD or above it.

When a user SIGNS UP, add 2 check boxes that MUST be checked before the account can be created. One stating that the user accepts the terms of service and the other more important, that he accepts the PRIVACY POLICY. Add a link to the privacy policy in the same page.

When a user is created, add a DB field to the user account with a timestamp so that you can provide the registration time when asked for it ( in case you should have to do it ).

Avoid putting extra conditions and terms on single pages, its better to have it in a dedicated page where the user is redirected to if he wishes so and this helps keep things organized.
Remember to keep some how a button or a link at the bottom with direct access to that page at all times.


Doing so should put you on the safe side.

As far as the contents of the privacy policy goes, besides having the usual stuff that you can get from anywhere in the web, you should at least put in what you do with inactive accounts, the time you take to delete Data if a user wishes to resign and the consequences of doing so ( i.e. the user account will be unrecoverable if the user really wishes to delete it )


You see.. even for a page that is very conservative and with almost no connections to data collection services like yours, it still is a pain in the ass ( literally ) to make it something like compliant with GDPR. But hey, once you have it, its done.





Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: TGTarheel on June 01, 2018, 09:48:09 AM
As far as i can see, you have two cookies set :

   -   PHPSESSION   -> obvious reasons
   -   lgi       -> dont know what this one does ( maybe someone can help here )

You should declare the use of those two cookies ( what they do and why they are needed for the game to work )
basically the one for the PHPSESSION is needed for state ( so that the user keeps his information when he switches pages )
and the other called "lgi" is unknown to me, not sure what that one does .. you should check this out.. if it is needed at all

Add a bottom bar ( or top ) where you warn anyone that the page uses those two specific cookies ( there are plugins for that and they are free ). This is annoying , but should be present at least in the front page

Create a page in the SAME domain that states what you do with the entered data from your users in general ( basically a PRIVACY POLICY )

When the user LOGS in , you should have a notice ( a small one ) that states that by logging in he/she agrees to the PRIVACY POLICY , and you should add a link to that page too. Try to do this in a non intrusive but clearly noticeable way. Do not use popups as they are often blocked, maybe in MOTD or above it.

When a user SIGNS UP, add 2 check boxes that MUST be checked before the account can be created. One stating that the user accepts the terms of service and the other more important, that he accepts the PRIVACY POLICY. Add a link to the privacy policy in the same page.

When a user is created, add a DB field to the user account with a timestamp so that you can provide the registration time when asked for it ( in case you should have to do it ).

Avoid putting extra conditions and terms on single pages, its better to have it in a dedicated page where the user is redirected to if he wishes so and this helps keep things organized.
Remember to keep some how a button or a link at the bottom with direct access to that page at all times.


Doing so should put you on the safe side.

As far as the contents of the privacy policy goes, besides having the usual stuff that you can get from anywhere in the web, you should at least put in what you do with inactive accounts, the time you take to delete Data if a user wishes to resign and the consequences of doing so ( i.e. the user account will be unrecoverable if the user really wishes to delete it )


You see.. even for a page that is very conservative and with almost no connections to data collection services like yours, it still is a pain in the ass ( literally ) to make it something like compliant with GDPR. But hey, once you have it, its done.





Appreiacate the guidance.  Now...can I get that in a checklist format so I can check off each thing as I do it...and of course I then have to figure out how.

Should not be terribly hard to create the privacy policy since we really do use a minimum of cookies and, as far as I know, only for legitimate game purposes, the game literally would not be playable without them.

I think the hardest thing is the two check boxes...how to make it not create an account if the boxes are not checked...I make them, currently, agree to the policy at character creation, and that creates a timestamp of it's own


Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: pharis on June 01, 2018, 10:26:51 AM
You can treat every paragraph as a checklist point :)


Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: TGTarheel on June 01, 2018, 12:35:11 PM
You can treat every paragraph as a checklist point :)

Anyone know what that cookie pharis mentioned is or what it does or if it is needed?

This stuff is seriously stupid...I mean, what we have to go thru for a GAME that most of us who run them, end up running them at a cost out of our pocket, not making a profit or even covering our costs.

But the law is the law.

You know that the law is intended for the big offenders, but you ALSO know they will find someone little to make an example of.  So best to have your ash titanium-plated.

TBH, they wrote this law horrible.  First, I do ot see why I as an American, should be subject to EU law, anyway.
Second, I work all day with what we call PHI in my biz.  This is Protected Health Information.  And I can tell you the laws in that area...are less strict than this is.  And all I have to do is show that I am making a reasonable effort.  What you have to go through with THIS law is beyond reason...for people operating at OUR level.

Almost easier to just not accept players from the EU, huh?  Except that the pool of players on this game is so limited, you can't afford to not take anyone who wants to play, so long as they follow the rules.


Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: Aeolus on June 01, 2018, 06:50:03 PM
Anyone know what that cookie pharis mentioned is or what it does or if it is needed?

This stuff is seriously stupid...I mean, what we have to go thru for a GAME that most of us who run them, end up running them at a cost out of our pocket, not making a profit or even covering our costs.

But the law is the law.

You know that the law is intended for the big offenders, but you ALSO know they will find someone little to make an example of.  So best to have your ash titanium-plated.

TBH, they wrote this law horrible.  First, I do ot see why I as an American, should be subject to EU law, anyway.
Second, I work all day with what we call PHI in my biz.  This is Protected Health Information.  And I can tell you the laws in that area...are less strict than this is.  And all I have to do is show that I am making a reasonable effort.  What you have to go through with THIS law is beyond reason...for people operating at OUR level.

Almost easier to just not accept players from the EU, huh?  Except that the pool of players on this game is so limited, you can't afford to not take anyone who wants to play, so long as they follow the rules.

Here isn't the place to complain about something we at DP can't change. Take it elsewhere.


Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: TGTarheel on June 01, 2018, 08:43:58 PM
Anyone know what that cookie pharis mentioned is or what it does or if it is needed?

This stuff is seriously stupid...I mean, what we have to go thru for a GAME that most of us who run them, end up running them at a cost out of our pocket, not making a profit or even covering our costs.

But the law is the law.

You know that the law is intended for the big offenders, but you ALSO know they will find someone little to make an example of.  So best to have your ash titanium-plated.

TBH, they wrote this law horrible.  First, I do ot see why I as an American, should be subject to EU law, anyway.
Second, I work all day with what we call PHI in my biz.  This is Protected Health Information.  And I can tell you the laws in that area...are less strict than this is.  And all I have to do is show that I am making a reasonable effort.  What you have to go through with THIS law is beyond reason...for people operating at OUR level.

Almost easier to just not accept players from the EU, huh?  Except that the pool of players on this game is so limited, you can't afford to not take anyone who wants to play, so long as they follow the rules.

Here isn't the place to complain about something we at DP can't change. Take it elsewhere.
I know, LOL.

But do appreciate the guidance been getting here.  Do you have any idea what that cookie pharis mentioned is and what it does and if it is needed...and if not, how to remove it?


Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: Nightborn on June 03, 2018, 01:46:05 PM
Just a few things in the posts I picked up and wanted to give my 2 cents:

 -> the cookie in lotgd (the lgi) stores i.e. the unique cookie ID which identifies PCs (last accessed) --> that *needs* to be in your data privacy statement, it is a tracker
     it also has the template i.e.the user selected stored, but that's rather uninteresting (no personal data)
 -> as soon as you store personal data, you need either a deletion date or a consent for the being-stored. If somebody deletes himself and can choose what he wants (also a statement how he can later request deletion) that is fine. But what about expired chars? There is no consent really... which is the major problem that forced me to hash the emails.
  -> The "creationaddon" is a really nice thing to put up. You should use it. (maybe expand to make all users agree as I did)

From what I have seen currently, not much is enforced - so it's a bit of a breather.

@the argument "I'm outside the EU, why should it apply" --> "do you deny EU citizens your service? if not, you have to protect their data according to GDPR"
it's that simple. A EU citizen could go to court if you don't. "could" being the word.



Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: pharis on June 04, 2018, 07:23:34 AM
I agree. Most likely,nothing will happen. But that could scenario can just be someone being a stupid person making your life difficult. As with most laws of this kind, it will serve ppl who are in the sueing business and want to hinder rivals. Or just maybe a random dude that just does not like you. And that is the tragic part of this. And it already started between businesses over here, mostly rivals. Probably the whole thing will settle down, but its hot waters right now.


Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: TGTarheel on June 04, 2018, 09:31:43 PM
Just a few things in the posts I picked up and wanted to give my 2 cents:

 -> the cookie in lotgd (the lgi) stores i.e. the unique cookie ID which identifies PCs (last accessed) --> that *needs* to be in your data privacy statement, it is a tracker
     it also has the template i.e.the user selected stored, but that's rather uninteresting (no personal data)
 -> as soon as you store personal data, you need either a deletion date or a consent for the being-stored. If somebody deletes himself and can choose what he wants (also a statement how he can later request deletion) that is fine. But what about expired chars? There is no consent really... which is the major problem that forced me to hash the emails.
  -> The "creationaddon" is a really nice thing to put up. You should use it. (maybe expand to make all users agree as I did)

From what I have seen currently, not much is enforced - so it's a bit of a breather.

@the argument "I'm outside the EU, why should it apply" --> "do you deny EU citizens your service? if not, you have to protect their data according to GDPR"
it's that simple. A EU citizen could go to court if you don't. "could" being the word.



What is the "creationaddon"??  Where can I get it?

I just want to comply with this the best I can with as little extra effort and BS as possible.


Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: TGTarheel on June 04, 2018, 10:03:41 PM
As an aside....
if we can have a module that is a character restorer...could we not have on e that was a total character destroyer?  That it would literally remove any line from the database attached to the specific acctid or something??

I am just curious.

Like I said, looking for a way to deal with this with as little extra NBS as possible...because as you all correctly point out above, this law will never be used to protect anyone...just for some people to try to hurt other people.


Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: pharis on June 05, 2018, 11:03:11 AM
In a broad sense it will help all users to better control their data, but that will take some time. For now , i guess noone really knows what is going on.


Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: TGTarheel on June 05, 2018, 08:44:49 PM
In a broad sense it will help all users to better control their data, but that will take some time. For now , i guess noone really knows what is going on.

Just throwing ideas out there.  I know you can remove lines of data from a table with php coding within a module of LOTGD...even if you just zero out the data, right?

So why not something like that?

I propose to start from something I have on my server, attached to Circulum Vitae, called Dwellings Destroyer...and it destroys all the dwellings of one going thru Circulum.  Why could that not be expanded upon to destroy all data from a player who so wishes to have their data destroyed??  That is what I am saying.

If anyone wants t see the file, let me know, I do not know that one is available here on DP.

Just checked.  That file is not here on DR...at least not in the downloads section.  There's a coffers emptier...but mine is a dwellings destroyer that destroys the dwellings entirely.

Seems to me that function could be expanded on nd serve as a complete character deleter.

Here is the basic meat of that code
Code:
$dw=db_prefix("dwellings");
$sql="update $dw set gold = 0, gems = 0 where ownerid = " .$session['user']['acctid'];
db_query($sql);
$sql="delete from $dw  where ownerid = " .$session['user']['acctid'];
db_query($sql);

Of course, you would need to do this code string over and over again for every table you have in your database....right??

This one just wipes out the character's dwellings...of course along with any gold, gems or commentary that was there.

You'd need to know each table...and you'd need to know which column to focus on, so it would take a little work, but would this not do the trick for GDPR compliance?

Just as an example, in the commentary table, you'd key on the column "author" matching the $session['user']['acctid']



Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: Nightborn on June 06, 2018, 11:15:18 AM
CreationAddon: http://www.orpgs.com/downloads
But it seems that's offline =/
I added my copy, but it's modified, I commented some stuff out I didn't need.

@removal of data / deletion
you *only* need to delete personal data. any items, achievements... no worries.
but email, name, cookie id, ip ... that's personal and can be requested to be deleted.

You can keep dwellings etc too...


Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: TGTarheel on June 06, 2018, 11:17:31 AM
CreationAddon: http://www.orpgs.com/downloads
But it seems that's offline =/
I added my copy, but it's modified, I commented some stuff out I didn't need.

@removal of data / deletion
you *only* need to delete personal data. any items, achievements... no worries.
but email, name, cookie id, ip ... that's personal and can be requested to be deleted.

You can keep dwellings etc too...

Thanks, let me check this out.

OK, skimmed it.  I see where you must put in your own privacy statement and so on...it would seem to take care of the front end of the GDPR.  Now how about the back end...as far as data deletion on request?

Would a mod of my Dwellings Destroyer do the trick here??  Just delete what must be deleted...from the database, on request??

By the way, nice work, Nightborn!  Many thanks.


Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: Nightborn on June 06, 2018, 01:46:13 PM
You're welcome =)

As said, what must be deleted is in my gdpr mod I added :P

It does hook into the creationaddon and create a link there - so you can set up a perma-delete there.

The lotgd delete function (IF you either disable the charrestorer-savefile OR hash/delete the email address+ip+id) will do just fine if somebody wants to be deleted.
As said, it's not necessary to remove any footprint he/she left, just the personal stuff that can be tied to a natural person.


Title: Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd
Post by: TGTarheel on June 06, 2018, 04:48:11 PM
You're welcome =)

As said, what must be deleted is in my gdpr mod I added :P

It does hook into the creationaddon and create a link there - so you can set up a perma-delete there.

The lotgd delete function (IF you either disable the charrestorer-savefile OR hash/delete the email address+ip+id) will do just fine if somebody wants to be deleted.
As said, it's not necessary to remove any footprint he/she left, just the personal stuff that can be tied to a natural person.

So if I plug and play the creation addon, and gdpr, I should be good?

Just need to then come up with a privacy statement, yes??

Just want to figure out how to cover my ass.  I hate stupid laws like this, because they are never used to actually protect people (good purposes) and are always used to hurt people...witness what pharis was talking about about how rivals are trying to use it to hurt each other...

© 2018 DragonPrime - LoGD Resource Community
Email Talisman: talisman -at- gmail.com
&oeXs)2U7=V BmܲV.U e=;p\}eG )Jj} C5EH7ˤH=j } mo|*Ŋw{drV_@IV>/- TFQJ׀̀Ve}l1,V O iNYx͘$e$;
Forums: Powered by SMF 1.1.21 | SMF © 2006-2007, Simple Machines