User talk:Cook Me Plox

From Meta Wiki
Jump to navigation Jump to search

WeirdGloop privacy concerns[edit source]

Not the first time I bring this up (the previous time was on OSRS wiki somewhere), but I can't express myself fluently enough at Forum:Forum Grove so I'll say something here.

References:

Assuming naively UK GDPR = EU GDPR and naively that to be the goal, some action items:

  • Stop transfers of personal data to third countries (USA) when the protection is inadequate (incompatible with EU's Charter of Human Rights).
    • Cloudflare (CDN, insights)
      • Assuming the private keys for TLS connections are held by Cloudflare (in the USA), there are risks of data requests made by the US authorities, but the risk is difficult for me to quantify personally.
    • Google Analytics (Google Tag Manager)
    • reCAPTCHA on registration pages (and new contributor edits with links)
      • Select all images of Twisted Bows / items under the value of 100 Coins.
      • FancyCaptcha?
    • DigitalOcean (crowdsourced data, see below)
  • Analytics in general
    • An example replacement that comes to my mind: Self-hosted Matomo (formerly Piwik), and no identifiable information (UUIDs) in analytics.
    • Explicit consent before tracking an user with UUIDs (cookies).
      • And none of those bad cookie banners, which do not give an equal opportunity to give or decline consent (as often is that rejecting consent takes multiple more clicks than to accept consent).
      • And if they are transferred to third countries, being informed of the risks of such transfers (but the barrier for consent is so high this can be very impractical or impossible).
  • Write the privacy statement. (Also rename it from "Privacy policy", because the laws are the policy.)
  • Add a checkbox confirmation and a link to the privacy statement from MediaWiki registration pages. (May run into MediaWiki's limitations out-of-the-box.)
  • GCP
    • Even if the personal data is stored in, let's say Google's subsidiary in Ireland, and not transferred to GCP servers in third countries, review there are technical measures like full-disk encryption to prevent the parent company in the USA (Google LLC) from gaining access to personal data on Irish servers if third country (USA) authorities request access to the data.
    • Google's DPO is in the USA (including for GCP matters), so there may be limited effective legal measures for data protection and enforcement in case of violations. Google has designated a DPO for Google LLC and its subsidiaries, to cover data processing subject to the GDPR, including as part of our Cloud products and services. [...] [DPO] is based in Sunnyvale in the U.S. (source)
  • RuneLite wiki crowdsourcing (RS:CROWD)
    • As far as I know, this is currently opt-out by default. No explicit consent (opt-in) is requested. And it leaks at least cat names. Bad!
    • The collected (personal) data is at least partially public via Chisel toolserver. Uh oh.
  • Varbits (game progression) are also collected and made publicly available to query, with in-game geolocation data. This was the case with Shattered Relics League (OSRS).
    • It gets fed to crowdsource.runescape.wiki, allocated to DigitalOcean's network (USA). Unclear if USA authorities may have access with current technical and organizational measures.
    • Additionally, despite RS:CROWD saying the contrary, it included OSRS character names for the Leagues thing.

84.250.14.116 10:10, 21 May 2022 (UTC)

Hi. I think you have an incorrect idea of what was going on with the leagues/WikiSync data. That is not crowdsourced or aggregated in any way, and is only used for individuals to look up their quests, tasks, etc on the wiki. It requires consent (with a very clear warning message) on the RuneLite side and has no affiliation with crowdsourcing. It does not pass through crowdsource.runescape.wiki, and has nothing to do with RS:CROWD. Of course it uses character names, that's how people look up their account.
So far as I know, there is not currently an indication that reCAPTCHA violates any CJEU or related directives. Your alternative proposals are not realistic. I think if we get an unambiguous statement that reCAPTCHA is illegal, and there are no steps at the Google level to find a Schrems- II compatible solution (which seems improbable, if it gets that far), we'd prefer to just remove all CAPTCHAs since they don't really do much for us.
Regarding Google Analytics, the relevant DPA we have is with Google Ireland rather than Google LLC, although it's unclear whether that protects us from things related to (say) CLOUD Act in the US. It's also my understanding that we do (properly) remove the last octet of the IP address before it's sent off, which was a major point of contention in the case you linked. Google has introduced a new version of GA which will set off another two-year song-and-dance where everyone argues over whether the new one will satisfy the CJEU and regional courts. I imagine it won't. More generally for analytics, ideally we would do all of this logging entirely at the server level, but due to the large majority of pageviews that go through Cloudflare and never hit our servers at all, this is easier said than done.
I would also say in general that assuming UK and EU GDPR are equivalent is somewhat dangerous – in general, the UK has not interpreted things as broadly as the CJEU and related regional European courts, and so far as I know, the batty decisions that follow logically from Schrems II generally don't have equivalents in the UK. Whether this makes any practical difference going forward (especially as the ground is moving on a near-monthly basis, with the new IDTA/addendum), is not clear.
For your other points about GCP and Cloudflare, we have done transfer impact assessments on the relevant entities and I'm happy with the steps we have taken to mitigate the risks. ʞooɔ 11:55, 21 May 2022 (UTC)

I will speak of EU GDPR, because I am more familiar with it, although I also acknowledge the UK GDPR takes precedence for WeirdGloop. I wanted to emphasize talking about UK GDPR naively, acknowledging silently they are similar but not the same.

Regarding reCAPTCHA: Clicking "I'm not a robot" without solving the challenge sets a _GRECAPTCHA cookie (UUID) for 6 months on the www.recaptcha.net domain. This third-party cookie remains unchanged when visiting another site that uses reCAPTCHA, no need to press "I'm not a robot". If I remove the cookie, I am given a new unique cookie (new UUID). Not surprising. But I believe this requires legally valid consent from EU users (the use of those cookies and sharing the data with Google). I often end up accidentally sharing personal data (_GRECAPTCHA cookie identifying that same device/user) with Google before knowing the next site was using reCAPTCHA (it gets loaded immediately on WeirdGloop wikis, without a prompt). Here I think WeirdGloop should seek legally valid consent, and inform about this data collection/sharing more clearly in the privacy statement. I'll also make note, but not comment on whether WeirdGloop wikis follow Google's Terms of Service for reCAPTCHA (mandating the reCAPTCHA implementor to tell the user in privacy statements about hardware information being collected).

I have my doubts about removing only the last octet of an IP-address (assuming you were only talking about IPv4-addresses) being effective pseudonymization, at least in the sense that it is in EU GDPR.

Your response did not really address why WeirdGloop couldn't do analytics without exporting it to Google (e.g. Matomo with UUIDs and valid consent), or I've not understood it. You seem unable to ascertain that Google LLC does not have access to the personal data from gathered analytics via Google Ireland. As it seems to me, no transfer is occuring to Google LLC based on this information you've stated, but I still acknowledge the risk the US authorities may request access to exist (and it seems avoidable). In a related manner, in a French court case about the use of Amazon Web Services, the court did not find insufficient data protection and the applicant's request to stop the controller from using AWS was rejected.

I think somebody (in the WG board) should set a deadline to have a new privacy statement written and RFC'd. The sooner the better, disappointing to see it stalled (and hopefully not soon forgotten). I'm sure you'd elaborate on those transfer impact assessments in the new privacy statement as well.

84.250.14.116 13:19, 21 May 2022 (UTC)
And re: WikiSync "consent", I still don't see a way to retract that consent, so I don't believe the consent was ever legally validly given. 84.250.14.116 13:23, 21 May 2022 (UTC)
While you seem to have "sufficient guarantees" (an EU GDPR term) for data protection about GCP and Cloudflare (assuming some kind of technical unmentioned measures like encryption at rest), I cannot say you to have sufficient guarantees for the use of Google Analytics. 84.250.14.116 13:33, 21 May 2022 (UTC)