MrEHasher [Pitching Concept]

[The_Cowboy]

If you store a hash of the IP address instead of the IP itself, that data should be anonymous and not covered by the GDPR any more. But IANAL.

Thank you Barbie for the suggestion. That is most certainly useful, Cheers!!

Ye ye, I hear ya. Therefore I demand you help me draft or write the EULA for MrEHasher. That should provide server owners and admins firm basis for dealing with legal, umm, ramifications.

With respect, you are the one producing this software and thus the onus is on you to ascertain the legal and other implications of the use of your software (the gathering and storage of people's personal information). This is not something I agree with nor support in any way, shape or form and so I have no desire to help draft an EULA. Besides which an EULA would need to comply with the relevant legislation in any jurisdiction in which a server or a client/user may be based - and that would require knowledge of that legislation, which I do not possess.

If you are willing you are more than welcome to share why you don't support such a transparent activity. All my code is open source and ready for scrutiny. Given that electronics data is the most reliable way for identification, I don't think there is enough scope for anyone to disagree. I have been wrong before though.

Doesn't what you are proposing go well beyond ACE's EULA?

Well seems like you are not aware of ACE and entire charade of how HwID is computed, which is quite shady itself given the closed sourceness of ACE, that ACE submits to the server . That is alright. I guess thanks for raising the concern though.

AddLine("* may submit non-personal system information to the gameserver;");
Your software proposes to submit personal information to the gameserver - unique identifiers of a person's hardware are personal information and they can, if stored, be linked to other personal infomation like an IP Address.

AddLine("* will NOT analyze, alter or submit any personal information;");
Your software will analyze personal information and submit it to the server owner/operator - that is the purpose of the software.

ACE does the same if HwID is really what the name claims it be.

AddLine("* will NOT open or read files that are not directly related to the game;");
It may not open or read files but the software will gather information not directly related to UT99.

AddLine("* will NOT run while playing on servers without ACE;");
Presumably NPLoader will run on a server not using ACE and so your software could be used on servers not running ACE?

True on both accounts. This is rather a prototype of what EULA looks like. I never intend to copy word-by-word. Thanks for your critical analysis for reinforcing how important such topics really are, especially in a democratic environment.

How do people joining a server get to agree or disagree with ACE's EULA? I have several ACE versions in my Cache and have never been asked to agree or otherwise to their installation or to the EULA - in fact this is the first time I have seen this EULA.

How will people joining a server using your software get to agree or disagree with its installation?

As I said this is just a prototype and not the final agreement (which I hoped you'd help me with and you did partly). You do raise a legit point though. I think ACE's dll files wrapped in .u package are kind of sandboxed and thus ok? to lie in cache maybe.
If you have installed ACE using NPLoader then EULA must have popped up without agreeing to which you shouldn't be able to install ACE (read extract dll from ACEsomehingdll.u). "This software" is just another Native Mod that end user shall have complete freedom to not install thus not being allowed to play on the server. End of story!

[OjitroC]

If you are willing you are more than welcome to share why you don't support such a transparent activity. All my code is open source and ready for scrutiny. Given that electronics data is the most reliable way for identification, I don't think there is enough scope for anyone to disagree. I have been wrong before though.

I'm not suggesting that your code is not or will not be transparent and open source - it's the gathering, storage and use of personal information to which I object - but, more importantly, which is likely to fall foul of legislation in a number of jurisdictions, not least the EU.

Well seems like you are not aware of ACE and entire charade of how HwID is computed, which is quite shady itself given the closed sourceness of ACE, that ACE submits to the server . That is alright. I guess thanks for raising the concern though.

No, I have no knowledge of ACE.

ACE does the same if HwID is really what the name claims it be..

If it does, and the HwID is or could be construed to be personal information (or could be used together with other data to produce personal information) then it is possible that users (server owner/runners) of ACE may not be fully complying with the relevant data protection/on-line privacy legislation in their jurisdiction

I think ACE's dll files wrapped in .u package are kind of sandboxed and thus ok? to lie in cache maybe.
If you have installed ACE using NPLoader then EULA must have popped up without agreeing to which you shouldn't be able to install ACE (read extract dll from ACEsomehingdll.u). "This software" is just another Native Mod that end user shall have complete freedom to not install thus not being allowed to play on the server. End of story!

I haven't installed ACE nor installed NPLoader - these are downloaded when joining or attempting to join (the latter for obvious reasons) a server - I have not been asked to agree to the installation of either as I said before. I have deleted everything to do with ACE and NPLoader from my system (including from the cache) just to see what happens when I next attempt to join a server.

It should be noted in passing that ACE is not used by many servers.

------------------ UPDATE ---------------------
Having removed all trace of ACE from my setup, I attempted to join 2 servers running ACE and sure enough two versions of ACE were downloaded without me being asked whether I wanted to install it or not - nor indeed being told what it would or wouldn't do. So, unless your software is written in such a way that users/clients are automatically asked to agree to it before proceeding and those running servers are unable to disable this, I think we can guess what will happen - users won't be informed or asked to agree.

XBrowser reports those servers running ACE - I have no idea how accurate that is but, based on what it reports, I would estimate less than 20% of the public servers run it.

[The_Cowboy]

Hmm I am in a pickle now!! Do we have legal department in these forums?
Putting the project on halt for now.

About the ACE not showing EULA, you may want to set the following to false, besides the file purge, in User.ini (depending on version)

Code: Select all

[IACEv13.ACEEULA]
bLicenseAccepted=True

I think you will still see the relevant packages being downloaded the only change shall come on installing (or extracting dll from .u) the files via NPLoader.

[The_Cowboy]

If it does, and the HwID is or could be construed to be personal information (or could be used together with other data to produce personal information) then it is possible that users (server owner/runners) of ACE may not be fully complying with the relevant data protection/on-line privacy legislation in their jurisdiction

Seems like there is nothing wrong with extraction of personal information once done with consent and right disclaimers as per GDPR article 6

Processing shall be lawful only if and to the extent that at least one of the following applies:

the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

• processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

• processing is necessary for compliance with a legal obligation to which the controller is subject;

• processing is necessary in order to protect the vital interests of the data subject or of another natural person;

• processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

• processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

As far as I can see ACE is compliant with GDPR. The only grey (gray?) area could be clients from non-EU territories which my not interfere with GDPR, rather their local jurisdictions' regulations, which would be weird imho.

[OjitroC]

As far as I can see ACE is compliant with GDPR. The only grey (gray?) area could be clients from non-EU territories which my not interfere with GDPR, rather their local jurisdictions' regulations, which would be weird imho.

I may be wrong but when one agrees to the use of ACE one is actually giving one's consent to the software itself (one is agreeing to its EULA) and not to the owner/operator of the server? It seems to me that that agreement is a once-and-for-all agreement, whereas one should be giving consent to the person actually storing and using one's data, which is the owner/operator of the server and that one should give consent each time one joins another server that is using ACE AND is storing and using one's data. Of course in giving consent one needs to be told what use will be made of the data that is gathered and stored (if indeed it is stored).

The grey area is that data protection legislation may well vary from country to country (even within the EU but more particularly outside it).

[The_Cowboy]

I think giving consent to software is equivalent to giving consent to the operator because software's Eula is from their behalf? Though that can be made more explicit.

Ye I believe repeated reminders could be added in NPLoader to, well, remind that server is using dll (and or so or dylib) for gathering personal information, every time player joins. I have seen people getting frustrated even by one time EULA notice

I think you are rightly concerned about what is covered in Rights of data subject. The operators / serveradmins are referred as controllers

• The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child.

• The information shall be provided in writing, or by other means, including, where appropriate, by electronic means.

• When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.
  1The controller shall facilitate the exercise of data subject rights under Articles 15 to 22. 2In the cases referred to in Article 11(2), the controller shall not refuse to act on the request of the data subject for exercising his or her rights under Articles 15 to 22, unless the controller demonstrates that it is not in a position to identify the data subject.
  1The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. 2That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. 3The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay.

• Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.
  If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

This would imply there need be an agreement between server admins and software also, whereby the server admins must accept to provide such and such information upon the relevant query by the players or data subjects.

[The_Cowboy]

With no more concerns being raised, I have decided to resume the development of the Mod in accordance with GDPR.

[OwYeaW]

This is a nice project. What is the current status?

Getting HWID from Windows, Mac & Linux clients would be great for user identification, opposed to ACE which only gets HWID from Windows clients.

[The_Cowboy]

Thanks for the interest.

Currently the project is at hiatus, yet again, because I am doing some sort of research (indirectly related to this) with Unreal byte code decompilation. What is left of this project is just a grunt work for Linux and Mac platforms, which a decent enough C++ programmer should be able to do. I should be able to do that later this year. Also some clients are reporting crash, which again is seemingly a grunt work to work with them and see what native calls are generating faults.

If you have queries regarding code, buzz me on discord.