Jump to content


API and GDPR

API GDPR

  • Please log in to reply
8 replies to this topic

BatelGeuce #1 Posted 29 May 2018 - 04:20 PM

    Captain

  • Player
  • 27218 battles
  • 2,196
  • [CSA-2] CSA-2
  • Member since:
    09-23-2011

Good afternoon,

 

I have a question regarding API and GDPR. I have a website tracking the activity and tanks of my clan mates, I have also read the new agreement regarding the API but I am not sure I fully understand the changes. It kinda says I can't permanently store data from API, what exactly does that mean? Because accessing the API every time someone would like to see the activity or tanks would mean a lot of network load so I am saving it in the database.

 

So my questions are:

 

If I wanted to keep the website running using the API to track the activity/tanks, do I need a consent of every single member of the clan?

Am I allowed to save the data in the database to save the traffic?

 

It might be stupid to ask this but I am really confused. I'll appreciate any answer you give me.



kaadomin #2 Posted 31 May 2018 - 08:42 AM

    Second Lieutenant

  • Player
  • 29748 battles
  • 1,154
  • [NXD] NXD
  • Member since:
    06-11-2012

There are a number of questions left ... let's try to discus. On a new clan you could make the application for the clan on your tool: accept the rules and login to apply :)

Or put all in reserve until they say "YES, I will" ... and request only from players not set as reserve - but ... you have to send a request to see if the player is set not reserve.

 

If we are not allowed to retrieve player states without explicit permission of the player, XVM ingame values would be empty. The main question - account data are personal data? If yes, they have to redeclared as private data.

 

I try to explain my players which private data I retrieve with the login (list of friends, tanks in garage to highlight them), when I will delete these values (combination player <-> friend after 24 hours, tanks blur after some days) *)

 

I think Wargaming don't want something like an API-proxy. They force us, to extend the value: "Applications must bring additional value for the end-users and must not replicate any existing functionality of Wargaming products or services." For me this contains display of values as function of time. I think, it would be rubbish to store e.g. number of damage dealt as waypoints in a diagram than as pure values. Saving pure values gives the opportunity to recreate with other scaling without calculating backward.

 

*) Edit: this friend list don't work since a couple of weeks, I delete some groups and moved friends ... but still the old combination.


Edited by kaadomin, 31 May 2018 - 09:08 AM.


Generol #3 Posted 31 May 2018 - 08:54 AM

    Lance-corporal

  • Player
  • 4826 battles
  • 90
  • [AIM-J] AIM-J
  • Member since:
    04-01-2011

View Postkaadomin, on 31 May 2018 - 08:42 AM, said:

If we are not allowed to retrieve player states without explicit permission of the player, XVM ingame values would be empty. The main question - account data are personal data? If yes, they have to redeclared as private data.

 

There is no need to redeclare account data as private data, and what xvm does is not correct according to the gdpr... Account names and identifiers that can be directly mapped to a natural person are private data. This applies to account names and account ids. https://gdpr-info.eu/recitals/no-30/ 

I think they would need to change their server to only show data of players that logged in to the xvm website and allow that .. and any eu player has the right to ask them to stop using their data at any point.

 


Edited by Generol, 31 May 2018 - 08:54 AM.


kaadomin #4 Posted 31 May 2018 - 09:50 AM

    Second Lieutenant

  • Player
  • 29748 battles
  • 1,154
  • [NXD] NXD
  • Member since:
    06-11-2012

View PostGenerol, on 31 May 2018 - 08:54 AM, said:

 

There is no need to redeclare account data as private data, and what xvm does is not correct according to the gdpr... Account names and identifiers that can be directly mapped to a natural person are private data. This applies to account names and account ids. https://gdpr-info.eu/recitals/no-30/ 

I think they would need to change their server to only show data of players that logged in to the xvm website and allow that .. and any eu player has the right to ask them to stop using their data at any point.

 

 

the last part: "...may be used to create profiles of the natural persons and identify them".

 

A wot-account do not identify a natural person! I know multiple persons using one account and persons using multiple accounts. These data for mapping are not available on the API side. If you decide to call your wot-identity firstname_lastname - you did the mapping. This is not facebook, requesting a real name. There is no need to map any wot-id to a real person, you can use paysafe for payment. The only point where a real ID is mapped to a account is the phone number, and with API-development, I have to add a real number.

 

As long the data are available on service record, everyone can see in the game, I see no problem with switching from paper/brain to database.

 

An other sample: I have no problems with fake identities/pseudonyms  (first name) on TS, but I request a name I can speak (not "klh1aw3f89ra2" ) and the person to react, if I talk to him/her/it.

 

We also need possibilities to manage clans - without data - no chance. It's like a firm or a sport club without any knowledge when somebody is working and what he is doing. How - without any knowledge about a player, how should I tell him - "it's okay if you take your VK30.01H for skirmish"  "forget your T37 until you have more experience."

If you have to manage a clan, you have to see differences between "I think, I'm a good player" and the "he hits every battle one time a enemy". You also need to know how long a member was not in - days? weeks? month? years? ... You can not join a sport club without telling your (real!) name.

 

Edit: did I mentioned the stupid auto smiley?


Edited by kaadomin, 31 May 2018 - 09:51 AM.


Generol #5 Posted 31 May 2018 - 10:31 AM

    Lance-corporal

  • Player
  • 4826 battles
  • 90
  • [AIM-J] AIM-J
  • Member since:
    04-01-2011

View Postkaadomin, on 31 May 2018 - 09:50 AM, said:

A wot-account do not identify a natural person! I know multiple persons using one account and persons using multiple accounts. 

 

That doesn't matter at all .. that's the same for ip adresses, which are also personal data. ( Only your provider knows who is the account owner, there might be a whole family behind it ). It's enough that wargaming can create the mapping between an account owner and the account name to make it personal for the law.

 

You can use the data ... but you need the consent of the user.

 

wargaming is on the safe side .. they state which data they share with application developers .. and developers have to agree with their terms: https://developers.w...ules/agreement/ that they follow all "all relevant legislation, regulations, codes of practice, guidance and other requirements of any relevant government, regulatory agency or other body" 

 

Thats why I doubt that wargaming will give any legal advice here what you can do and what not ;)


Edited by Generol, 31 May 2018 - 10:39 AM.


kaadomin #6 Posted 31 May 2018 - 11:49 AM

    Second Lieutenant

  • Player
  • 29748 battles
  • 1,154
  • [NXD] NXD
  • Member since:
    06-11-2012

View PostGenerol, on 31 May 2018 - 10:31 AM, said:

 

That doesn't matter at all .. that's the same for ip adresses, which are also personal data. ( Only your provider knows who is the account owner, there might be a whole family behind it ). It's enough that wargaming can create the mapping between an account owner and the account name to make it personal for the law.

 

You can use the data ... but you need the consent of the user.

 

Wait a minute:

 

If the player don't use my tool and we only use the on API, I can't get his IP. There is no difference for his personal data if I use statistic values of his account on his service record or in my table. I can't get his IP, phone number ... from Wargaming => I have no personal data.

 

If he uses the tool ... we can have the usual spam "Let me eat your cookies or go ahead" but this was not the question.

With login via WG-login the user accept the transfer of his private declared data (number of gold and some other account stuff) but this is not personal data according this law. BTW - we have to use this login.

 

What we do, is a citation from a source including giving correct information about the source and a scientific work with these data. I know this law has a lot of problems with a lot of other rules written in older laws, but we shall not talk about politics  ...



Generol #7 Posted 31 May 2018 - 12:31 PM

    Lance-corporal

  • Player
  • 4826 battles
  • 90
  • [AIM-J] AIM-J
  • Member since:
    04-01-2011

View Postkaadomin, on 31 May 2018 - 11:49 AM, said:

If the player don't use my tool and we only use the on API, I can't get his IP. There is no difference for his personal data if I use statistic values of his account on his service record or in my table. I can't get his IP, phone number ... from Wargaming => I have no personal data.

 

storing the name of the account together with the data already makes it personal.

 

you could create a tool for example that fetches public api of  a player every 30 minutes and store that in your database.

after a few days you can look at the data and create a profile of the player at what times he usually plays, how long he plays, how many matches he plays and stuff like that.

if you store data before asking for his permissions you are breaking the law. ( This is why storing data from the api permanently is now forbidden -> §9 in https://developers.w...ules/agreement/ says

You shall not: create permanent copies of the API Data )


Edited by Generol, 31 May 2018 - 12:32 PM.


kaadomin #8 Posted 31 May 2018 - 03:21 PM

    Second Lieutenant

  • Player
  • 29748 battles
  • 1,154
  • [NXD] NXD
  • Member since:
    06-11-2012

View PostGenerol, on 31 May 2018 - 12:31 PM, said:

 

storing the name of the account together with the data already makes it personal.

 

you could create a tool for example that fetches public api of  a player every 30 minutes and store that in your database.

after a few days you can look at the data and create a profile of the player at what times he usually plays, how long he plays, how many matches he plays and stuff like that.

if you store data before asking for his permissions you are breaking the law. ( This is why storing data from the api permanently is now forbidden -> §9 in https://developers.w...ules/agreement/ says

You shall not: create permanent copies of the API Data )

 

I think this discussion is very useful. What do you think - how long is permanent and what is a copy? :)

 

If I track ... lets take numbers of battles or anything else:

Version a) dataset of (time, number) - it is a copy or a citation

 

Here we have the problem of "permanent". I think its really permanent and a problem, if I don't destroy data, when the account was dropped by WG. With the wish of the owner and without. This is the reason behind this law, forget all my data after my account was deleted. (it's okay for me, I have some comments but not officially).

 

Version b) dataset of (delta[time], delta[number]) is a vector and it is not a copy .... BTW - here we should delete too, because it's the meaning of the law.

 

But - I see a problem with some guys (I know someone with a short time in your clan) with multiple accounts, changing nicks, telling tales ... why should I spend hours in recruiting for a guy with a very special and incompatible thinking ...

 

BTW: we are forced to keep the count of requests low - this means we have to cache ...

 

I think a clan like CSA/CSA-2 can force "say yes or go" - best point at middle of campaign :P. A clan without interest in quality of players has also no problem - nobody needs any measuring. I have no problem with my active young and wild we got from black/dark red to yellow during the last year. A problem are older clans on medium level with players only wearing the same colours.



BatelGeuce #9 Posted 31 May 2018 - 07:45 PM

    Captain

  • Player
  • 27218 battles
  • 2,196
  • [CSA-2] CSA-2
  • Member since:
    09-23-2011

I kinda have to store some data from API because the activity tracker is based on "monthly" CW/SH number load that I reset manually when we close a payout period and daily refresh to update the activity daily. It also computes the ammount of gold the player is going to get based on rules set by the commanders which means it's not just replicating something made by WG but it also adds some other features. As for the tanks I pull all the available data and I gotta store them for long periods of time. I have a table of WG tanks and table with all the tanks of every player in the clan. Then I select all the tier X tanks and some statistics (average damage, WR) requested by the clan commanders. They can access 5 tables including all the tier X tanks sorted by class and if there is Y>0 tanks in the clan they can go to a list of players who own that tank. As for the consent I already thought about that before and I also have a system ready for that which would only track players who log in at least one using the WGLogin which lists all the data I can access from API.

 

EDIT: I say "I have" but I actually shut the page down until I solve all these problems.


Edited by BatelGeuce, 01 June 2018 - 10:11 AM.






Also tagged with API, GDPR

1 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users