Openra: Server implementation leads to GDPR violation by everybody using it

@OpenRA/server-hosts The GDPR fines are huge (10M/20M) so you might want to do something about this before some troll comes up with the great idea of filing complaints with their DPA or taking legal actions.

See #17343 where I also brought up this issue, and discussion that followed.

GDPR is a troll policy , public ip addresses can not lead to a player being identified without a warrant to the relevant isp , therefore shouldn't be consider personally identifiable information. But unfortunately the policy maker trolls over in the EU have come up with this policy and threatened the world with fines up to 20 million. So yes i'd say it's probably reasonable to have some agreement for players when they join a server. Maybe come up with a boiler plate agreement that server hosts could modify as they see fit. This would probably need to be a server specific agreement, rather than one that displayed on start up, it would need to be displayed upon joining a server, as each server host would be considered a data processor according to GDPR. I wonder how anyone in the EU is using bittorrent these days, GDPR is such a troll policy.

https://github.com/OpenRA/OpenRA/issues/17529#issuecomment-569924066 should resolve this.

@pchote Removing the last octet is stupid in my opinion, just remove it completely. And what about IPv6? Even though the master server still doesn't support it, direct connect works.

@Papi94 You are wrong. If I give you my IP address, you just have to do a simple query to the RIPE DB and you will get:

• my full name
• my postal address
• my email address
• my phone number

No need for a warrant or anything, that information is public under the conditions of the RIPE DB.

@pchote Removing the last octet is stupid in my opinion, just remove it completely. And what about IPv6? Even though the master server still doesn't support it, direct connect works.

@Papi94 You are wrong. If I give you my IP address, you just have to do a simple query to the RIPE DB and you will get:

• my full name
• my postal address
• my email address
• my phone number

No need for a warrant or anything, that information is public under the conditions of the RIPE DB.

Respectfully, unless you are a service provider i will not get your information. For example the below is a whois lookup of my ip address . It doesnt even show the correct state.

Source: whois.arin.net
IP Address: *
Name: NWT-CT-75-136-64
Handle: NET-75-136-64-0-1
Registration Date: 11/27/06
Range: **
Org: Charter Communications
Org Handle: CC04
Address: 6399 S Fiddlers Green Circle
City: Greenwood Village
State/Province: CO
Postal Code: 80111
Country: United States

Sure, but what applies to you doesn't automatically apply to everybody else. I am a LIR (RIPE region) as an individual so all my AS(es) and addresses are directly linked to my contact information. I also sponsor PI resources (and make PA assignments) to a few other individuals and all of them chose to have their contact info public as well. The alternative for them would have been to use the contact info of their LIR (me) instead. So yes, if you have IP addresses, then there is no reliable way to filter out a) static addresses (or "dynamic" addresses that stay the same for a long time, for example more than a year), b) addresses with an individual assignment to an individual, b) addresses with an individual assignment to an individual who chose to use the contact info of the LIR which happens to be an individual as well.

Just trust me on this, I can't prove it without giving enough information to find everything about me in the RIPE DB.

@jrb0001
That sounds like an issue with the user giving their personal information out and the privacy policy of the service allowing anyone to query their database for personal information.

Also aren't typically LIR's business' or organisations? If this is an actual concern of yours, you can easily make your contact information akin to a business rather than outputting your home address and phone number.

That should be a concern for you regardless of whether OpenRA is displaying your IP or not. as there is no way to actually stop a server owner (or in fact, any person who has services you connect to) recording these IP's. Even if obfuscated somehow, wireshark could easily identify any foreign connections. These concerns of yours still exist regardless of what happens to IPs

@anjew175 If I wanted to "make your contact information akin to a business rather than outputting your home address and phone number", I would have to create said business, send official documentation to RIPE and request a transfer. It is not as easy as you make it sound and I decided against it for reasons.

If a server owner decides to look my information up, then he most likely has a legitimate reason to do so (unintended abuse, needs help for debugging, stuff like that) and then it should be as easy for him as possible to contact me. What isn't ok is if he systematically publishes the addresses unless there is a strong technical reason to do so (hint: that never applied and also never happened outside of openra afaik).

But please let's get back to the topic of this ticket. If somebody wants to discuss my reasons and stuff like that, just ping me on IRC and I will reply as soon as I see it.

Privately run servers may not be suspect to GDPR laws according to Article 2, Section 2 c) GDPR.

1. This Regulation does not apply to the processing of personal data:
   (c) by a natural person in the course of a purely personal or household activity;

Online gaming isn't a "purely personal" activity in my opinion (random other people are involved and you most likely don't even know them in person) and the household part definitely doesn't apply. It all comes down to interpretation and I prefer to stay on the safe side in such situations but feel free to take the risk if you want.

Privately run servers may not be suspect to GDPR laws according to Article 2, Section 2 c) GDPR.

Online gaming isn't a "purely personal" activity

Online gaming may be (from client perspective), but providing and maintaining a public multiplayer web server probably is not. I think doing so is very similar to "providing the means for processing personal data for such personal or household activities", see recital 18, for exmple here: https://gdpr-info.eu/recitals/no-18/.

IP addresses are considered personal data so distributing it requires consent of the data subject.

Not necessarily consent but any legal basis from Art 6 GDPR. Since processing of the IP address is a technical requirement to offer/use the service and thus very likely withing the legitimate interest (see Art. 6 (1) lit. f GDPR) the question about the legal basis is a non-issue. The real issue here is that you need to inform subjects when collecting data from them as told in Art. 13 GDPR. This is something you already can do without changes to the server implementation.

Show an automatic message when somebody joins that tells

• what personal data you collect (IP/username etc)
• that this information is passed to all other clients, saved in replays that are stored on each clients device
• that you collect and distribute this data as it is necessary to offer the online multiplayer server
• that offering the multiplayer server is also the interest you pursue with the processing of personal data
• any other purposes you use the personal information for (server-side ban list?)
• information about how long the data is stored (note that you may only store the data as long as it is needed for the purpose it was collected for).
• your contact information
• that subjects can not object the processing as it is technically required to offer the service.

Disclaimer: IANAL

@reallynotarobot Can you explain the technical requirement to publish the IP addresses of all clients? The server obviously needs it to maintain the connection, but the clients only interact via the server. I also don't see why replays would require it and the same applies to savegames.

Otherwise your list looks correct to me. Also a good point about the username (and more importantly the authentication system/forum account in general).

Regarding Art. 13 GDPR: The only mechanism for that I can see so far is the motd. But how am I (as a player) supposed to read that and exercise my rights if the admin decides to kick/ban me immediately? I don't have enough time to read it in that case. For example Art. 21 GDPR gives me the right to object to the processing but how am I supposed to do that if I don't even know what is processed for which purpose and by whom?

In my opinion, it would be a much better approach to do the following:

• Don't store/process/publish information if it isn't required (IP address: the socket needs to stay alive obviously but everything else is optional).
• Ask for explicit consent before sharing the data ("Do you want to use your OpenRA forum account to prove your identity to this server, all connected players and associate it with the replay?").
• Give server owner a way to show a dialog to the player (with accept/reject button, maybe more flexible?) before anything else is done with the connection in case they want to do more with the data (ranking system or whatever other features you can think of).

Ask for explicit consent before sharing the data ("Do you want to use your OpenRA forum account to prove your identity to this server, all connected players and associate it with the replay?").

This is covered by the forum privacy policy that players agree to as part adding a key to their account.

@pchote The forum privacy policy only matters for game servers if the owner of the forum is the data controller and all game server operators are only processors. Does the owner of the forum have a contract (or similar) that satisfies Art. 28 GDPR with every single game server operator (which includes players if they decide to host from within the game). I don't remember agreeing to anything before hosting my first game... Or how is the forum owner compliant with Art 28 (1) GDPR without that contract? I don't think that's a good way to look at it to be honest.

@jrb0001

Can you explain the technical requirement to publish the IP addresses of all clients? The server obviously needs it to maintain the connection, but the clients only interact via the server. I also don't see why replays would require it and the same applies to savegames.

Otherwise your list looks correct to me. Also a good point about the username (and more importantly the authentication system/forum account in general).

Regarding Art. 13 GDPR: The only mechanism for that I can see so far is the motd. But how am I (as a player) supposed to read that and exercise my rights if the admin decides to kick/ban me immediately? I don't have enough time to read it in that case. For example Art. 21 GDPR gives me the right to object to the processing but how am I supposed to do that if I don't even know what is processed for which purpose and by whom?

In my opinion, it would be a much better approach to do the following:

* Don't store/process/publish information if it isn't required (IP address: the socket needs to stay alive obviously but everything else is optional).

* Ask for explicit consent _before_ sharing the data ("Do you want to use your OpenRA forum account to prove your identity to this server, all connected players and associate it with the replay?").

* Give server owner a way to show a dialog to the player (with accept/reject button, maybe more flexible?) _before_ anything else is done with the connection in case they want to do more with the data (ranking system or whatever other features you can think of).

I only had the transmissions in my mind so "technical requirement" could be wrong for storing IP-addresses. If it is wrong in that context, the data should probably not be stored there or only in an anonymized way.

Good point about the limitations of the motd. Instead the information (or any other text server owners would like to include) could be shown in a new info-widget in the server browser that could be accessible via a button when selecting a server. Remember that the right to object in Art. 21 GDPR depends on "grounds relating to your particular situation" unless the data is processed for direct marketing purposes. So the subject has to demonstrate that, which is also part of the reason why I'm not convinced that the consent model is needed/desirable.

There is the burden of documenting consent in Art. 7 (1) GDPR, the problem with getting valid consent if children are subjects and the lower "entry barrier" to the right to erasure in Art. 17 (1) GDPR when processing is based on consent.

This is covered by the forum privacy policy that players agree to as part adding a key to their account.

The forum privacy policy only matters for game servers if the owner of the forum is the data controller and all game server operators are only processors.

Regarding the data that servers request from the forum, I think this is a case of Art. 14 GDPR so you would have to inform about getting this public information from the forum controller etc. (identical to Art. 13 GDPR otherwise unless I remember it wrong).

I'm quite sure that server owners are not data processors since they aren't bound by instructions (of whom anyway?). The forum policy of course does not apply to you as a server controller and only matters in the relation between subject and forum controller. As I understand it, since processing happens to the same extend for the same purposes, you can refer to the consent given to the forum controller as legal basis but I'm a bit unsure and don't know details.

Isn't security (showing IP in game) and archival (IP in replays) considered legitimate purposes to process IP's?
IP is used as a security measure by server owners and players to remove people who may be disruptive to the game or actually breaking the law (hate speech/death threats). It's a measure used by countless games and servers for the purpose of protecting the integrity of the game.

It's impossible for a p2p game like OpenRA to hide IPs. I suggest for people who get scared by this to update their MOTD and add some kind of disclaimer. This is definitely overreacting.

@Mailaender OpenRA is only p2p from the game logic perspective. It isn't p2p from a networking perspective because everything always goes through the server. So there really isn't a technical reason why the addresses must be distributed to all clients. In fact my own server implementation doesn't do it and everything works just fine.

@jrb0001 Which server implementation?

@abmyii My own, fully independent, implementation which is used for the official SP and RV servers. Not all of them are already running on the new version yet so ping me on IRC if you want to know which ones you can use for verifying my claims.

I don't use the IRC server. Could you provide a link to the server implementation?

I think you shouldn't use weird EU law to justify a code change, but rather submit your true dedicated server as a pull request, because it is technically an improvement.

The only difference relevant to this ticket between the official and my implementation is that my server omits the IpAddress field when serializing the client info. This doesn't cause any issues on the client side and looks like this:

If the country features is so important to you, just implement it on the server side.

@abmyii I never bothered to publish the git repo so it is only available to very few people. But as I already wrote twice in this ticket, anybody can ping me on irc to talk about anything not related to this ticket and I will reply as soon as I read it.

@Mailaender The implementation as a whole isn't "technically an improvement". It has some advantages but some features are not implemented at all (nobody from SP/RV uses them anyway) or simply work differently. Also I don't have the time nor motivation to do upstreaming work at the moment. But feel free to ping me on IRC if you are willing to do it.

I think you shouldn't use weird EU law to justify a code change, but rather submit your true dedicated server as a pull request, because it is technically an improvement.

@Mailaender the GDPR is based on some simple principles that I don't consider "weird" at all. The core principles are transparency, purpose limitation and data minimisation. I'm not Facebook or Google but only a normal dude, so for me it's a win if everybody who wants to use data that can be used to identify me (in the meaning of "recognize") has to comply with these principles. It's a long road to establish these standards and everybody can decide for themselves if they want to lead by example or postpone the involved work until problems arise.

I already noted what i think would be sufficient to do for server owners (include the mentioned information in a new dialogue). The OpenRA maintainers should also inform about how they use personal data, mainly about connecting to the master server and which data is stored for which purposes etc. These are separate things, as the master server controller and game server controller can be different persons and act independently.

Just to throw in my 2 cents:
As someone who is considering to make and release a commercial game based on the OpenRA engine and (probably) doesn't have the coding skills to make the necessary changes to server code, I'd rather drop multiplayer support completely than ship with/connect to anything with the slightest chance of causing legal trouble.

In my opinion it's completely irrelevant whether we consider any laws weird or not, the only thing that should matter is what consequences it might have if we don't (fully) comply.

I believe it is as simple as emptying
https://github.com/OpenRA/OpenRA/blob/baa5b3d25ec43e6eb122e7bee7097c6e44a5ff8e/OpenRA.Game/Server/Server.cs#L347

Apart from EU law it is actually bad practice to show player IP addresses because it offers an attack window: Start DDoSing your enemy, so they leave and you "win" the game.
https://arstechnica.com/gaming/2016/04/rainbow-six-siege-reportedly-reveals-your-ip-address-to-potential-attackers/ although I guess that problem exists mostly in theory, and I am not sure if hiding the IP there is enough.

https://github.com/OpenRA/OpenRA/issues/17529#issuecomment-569924066 should resolve this.

_Originally posted by @pchote in https://github.com/OpenRA/OpenRA/issues/17534#issuecomment-569977693_

@Mailaender Doing that would break address based bans (which are useless against a determined attacker anyway). If you want to avoid that, then https://github.com/AttacqueSuperior/Engine/commit/7b28b8b3d311afa746f61a6ea4c5f2d29149b8f4 is the solution.

That code looks like it only changes things on the client side.

@Mailaender The field is skipped during serialization of the class and the class is used on both the client and the server side. Current AS master:

As an Implementation Consultant I deal with GDPR daily. GDPR does not mean you can’t use personal data, it means you can’t use more than necessary and you can’t store it for any longer than necessary. I would say in game use is fine but in replay files and server logs saving the IP address is doubtful. So basically, anjew is spot on.

I wouldnt worry about the fines. Ive seen governmental organizations get away with way, way, way worse. In Holland theres a famous case where a fine was awarded; a celebrity was rushed into the hospital, rumor was she tried to commit suicide. Lots of hospital employees accessed her file out of curiosity, violating her privacy.

Start DDoSing your enemy, so they leave and you "win" the game

The same can be said for exposing the server IP. Start losing, just DDoS the server, everyone leaves and you 'win' the game