The GDPR
#1
Posted 2020-October-28, 06:03
Nice job!
Pity you didn't choose to listen when folks pointed these issues out to you years back.
FWIW, I'm going to offer some free legal which is worth every penny you're paying for it.
Please note: I am not a lawyer, however, Akamai spends a lot of time / effort dealing with GDPR related issues and my team is the one that gets to deal with a who bunch of this so we get to spend lots and lots of time getting training on this front.
Moreover, Akamai sells services like "Client Reputation"
https://www.akamai.c...-reputation.jsp
We profile IP addresses on the internet and make determinations whether they are "good" or "bad" which is directly analogous to a lot of what's going on with BBO and Personally identifiable Information.
The critical issue here is making sure that BBO establishes that they have legitimate purpose for collecting and sharing Personally Identifiable Information and this purpose requires the ability to share information with Data Processors.
Once you go and do this, build the appropriate disclosure into your privacy statements, and provide appropriate controls over the information in question, you're golden.
You can collect all sorts of information and use this for any one of a variety of purposes.
Hopefully, BBO won't overreact and stop collecting any of this information.
#2
Posted 2020-October-28, 17:44
Can you please clarify for the layman like me whether this means I should find a different Bridge Site to play on
It doesnt sound good for those of us involved in the serious data ad privacy game ourselves if people are prying and sharing our information
Also, by clarification is the free legal advice for us the users or Bridgebase Its much appreciated
regards P
SORRY. Following stuff is being edited
#3
Posted 2020-October-29, 04:45
thepossum, on 2020-October-28, 17:44, said:
I think it is fair to say that any good bridge site will be collecting personal information more than is sufficient to let you play and pay. If you want a site that seeks to detect and prevent various forms of cheating, deal with abusive behaviour, or award master points from your NBO, then this will be impossible unless additional information is also collected.
Richard is not complaining about the collection. It is the processes and procedures that are required, especially by the European Union, when collecting personal information of its citizens where BBO needs to be diligent and, it seems, like many American companies they may not be robust; or sufficiently robust to contest a lawyer's assertion that they are not robust.
It is highly likely that BBO's processes and procedures are sufficiently robust for US citizens since it is an American company and the USA doesn't have the equivalent of GDPR, rather a mosaic of state and federal regulations governing aspects of data protection (perhaps more importantly, there is no central enforcement authority).
I have no idea what constraints the Australian parliament puts on foreign companies dealing with its citizen's personal data.
#4
Posted 2020-October-29, 05:44
paulg, on 2020-October-29, 04:45, said:
It is highly likely that BBO's processes and procedures are sufficiently robust for US citizens since it is an American company and the USA doesn't have the equivalent of GDPR, rather a mosaic of state and federal regulations governing aspects of data protection (perhaps more importantly, there is no central enforcement authority).
BBO start out life as a Canadian company, then it was based in the US when Fred moved to Vegas.
However, once it got sold to FunBridge, it became a French based company and the GDPR comes into play.
Some people, myself included, pointed this out at the time.
#5
Posted 2020-October-29, 06:19
thepossum, on 2020-October-28, 17:44, said:
Can you please clarify for the layman like me whether this means I should find a different Bridge Site to play on
It doesnt sound good for those of us involved in the serious data ad privacy game ourselves if people are prying and sharing our information
Also, by clarification is the free legal advice for us the users or Bridgebase Its much appreciated
regards P
SORRY. Following stuff is being edited
Few quick comments here: The advice that I was providing was intended for BBO management rather than the folks using the site.
Here's a bit more information
The BBO servers record a couple different type of information about hands.
The first is information that is directly related to play.
1. Who is sitting at the table
2. What cards have been dealt
3. What was the bidding, the play, etc.
4. What was the score
5. What other tables played the hand
6. What is the timing with which various bids are being made
Most of this information is pretty much always publically available when you are playing in a bridge game (especially online). And as technology such as Bridgemates had become available, more and more of this information is recorded for F2F games as well.
The second type of information is metadata about related to the hand. Here, the most relevant information is stuff like:
1. What IP addresses do the various players / kibitzers use?
2. What type of device are the players / kibitzers using?
3. What cookies has the BBO client placed onto these machines?
Both types of information could be considered Personally Identifiable Information and run afoul of the GDPR.
What's important to understand is that the GDPR does not ban web sites from collecting PII. Rather, they need to demonstrate that they have a legitimate purpose in collecting and sharing this information.
I think that it is important for BBO to have a privacy policy that describes how it is handling both of these types of PII.
If it were me, I would have a privacy statement that says that BBO has a legitimate purpose in collecting and sharing the first type of information with (essentially) anyone and that this information with be collected and shared in perpetuity. Part of BBO's mission is promoting the game of bridge and providing public records is part and parcel of this. Moreover, BBO needs to protect the integrity of the games that are run on its platform and this requires sharing hand records with external data processors.
I would also have a separate part of the privacy statement that deals with the second set of information. This information would still be collected and stored but there would be much more specific controls over who is able to access this data and how it is shared.
#6
Posted 2020-October-29, 12:41
hrothgar, on 2020-October-29, 05:44, said:
However, once it got sold to FunBridge, it became a French based company and the GDPR comes into play.
Some people, myself included, pointed this out at the time.
GDPR came into play on 25 May 2018 and has nothing to do with 52 Entertainment Group acquiring BBO and FunBridge. Article 3 of the GDPR, which defines the law's territorial scope, states that it not only applies to companies in the EU/EEA, but also to companies outside of the EU/EEA that serve (or track the data of) EU/EEA residents.
All US companies who deal with personal data of European citizens are required to comply with GDPR although enforcement is easier when you are based in Europe or have significant business in Europe.
BBO made a token effort of addressing the GDPR requirements with its policy revisions in 2018. I suspect they wish they'd done more at the time, including many of the things you've mentioned.
#7
Posted 2020-October-29, 14:58
paulg, on 2020-October-29, 12:41, said:
All US companies who deal with personal data of European citizens are required to comply with GDPR although enforcement is easier when you are based in Europe or have significant business in Europe.
Yes, just like individuals and government officials in the US are required to comply with the edicts of the International Criminal Court in the Hague. Oh wait, no one in the US actually gives a damn about the ICC because they have no power of enforcement over anything that actually matters.
You're crazy if you think any US based company is going to pay even the slightest bit of attention to the GDPR unless they absolutely have to
Akamai (where I am employed) is scrupulous about following the GDPR.
However, Akamai does lots of business in the EU.
I suspect that companies with less of an interest would simply ignore it.
#8
Posted 2020-October-29, 15:09
And without a way to "make me", it's cheaper and easier to just ignore the regulation. Cheaper and easier always wins, especially in the US.
Now, "high level matches will find another platform, because it's impossible to convict Euro-cheaters because of lack of GDPR compliance" might well be a good way to "make me". But it requires another platform...
I would guess that a large part of hrothgar's job is explaining to companies how ignoring the GDPR may not in fact be cheaper, and I'm sure he's as used to being ignored as I am when I speak as an SME (in either of my jobs).
As a moonbat leftie, it surprises me when others are shocked that the "but it's the Law" gambit works as well as history has shown it to work for generations.
#9
Posted 2020-October-29, 15:18
mycroft, on 2020-October-29, 15:09, said:
I would guess that a large part of hrothgar's job is explaining to companies how ignoring the GDPR may not in fact be cheaper, and I'm sure he's as used to being ignored as I am when I speak as an SME (in either of my jobs).
Luckily, Akamai executives are quite good about wanting to comply with various laws and the GDPR is actually quite reasonable about granting exceptions about legitimate business purposes. And better yet, we have lawyers who make all the important decisions. All I need to worry about is helping to amke sure that various technical designs that engineering and marketing come up with maintain compliance with said regulations.
Where life gets complicated is when there isn't a good understand of what the GDPR does / does not say.
For example, there was one period a couple years back where the German courts were claiming that IP addresses constitute PII and other courts in Europe were claiming the opposite.
#10
Posted 2020-October-29, 16:04
#11
Posted 2020-October-29, 16:46
hrothgar, on 2020-October-29, 15:18, said:
For example, there was one period a couple years back where the German courts were claiming that IP addresses constitute PII and other courts in Europe were claiming the opposite.
IANAL, but I do work for a UK based company ultimately owned in the Republic of Ireland. We handle millions of records of personal information and substantial card transactions on behalf of clients. My employer is, quite rightly, ***** scared of falling foul of the law relating to GDPR and the somewhat similar (and arguably even more draconian) PCI DSS (payment card industry data security standards) as, ultimately, the company could effectively be closed without so much as a court case. So we all get regularly trained and retrained in what it all means. IMO an "id number", in and of itself, is not PII. However as soon as you (or a third party) can tie up that "id number" with who or where you are or anything personal to you, then you are on dodgy ground assuming said "id number" is not personal. IP addresses very much come in that category.
One might think that "where you are" isn't all that personal as hundreds or thousands or more may live in your town, but add in a slightly unusual surname for example and suddenly you can be identified in detail by someone determined to find out.
It isn't that you can't store such data, it is that you have to be able to demonstrate a need to do so and that you delete it when it is no longer needed and that your networks and databases are secure and so on. In other words you have shifted heaven and earth to make sure things are as safe as they can be.
Nick
#12
Posted 2020-October-29, 17:11
And, with a name that is almost unique across the internet (assuming you know I never played Cricket, or am not 100 years old and, you know, *dead*, I am unique) you don't need to tell me anything about "slightly unusual surname". Why do you think I'm "mycroft" online? (and yes, I realize it's futile. But I don't have to make it *easy*)
#13
Posted 2020-October-29, 19:44
paulg, on 2020-October-29, 04:45, said:
I quite appreciate all sites collect information, and any Bridge site with accredited tournaments etc etc. are within their rights to whatever etc etc Thats not my concern at all.
paulg, on 2020-October-29, 04:45, said:
My concern in everything these days with data collection and rather impersonal assessment and adjudication by a combination of impersonal algorithms and often even worse people, is how that data will be used, issues of justice, issues of overreach, potential errors, limitations on any form of data analytic approach to anything and possibly most important of all how any such assessments are used in relation to sharing and linking of data to anything else etc
I was starting to write some of my concerns in my original replay. But they are extensive on a global scale, and I am sure (in fact I know) there are many people including experts who share many of those concerns etc
I hate to say it but with someone with extensive experience of knowledge of many of the issues and different levels of expertise in various areas, there are a relativey small number of people who I trust internationally to have a clue about much
paulg, on 2020-October-29, 04:45, said:
It is highly likely that BBO's processes and procedures are sufficiently robust for US citizens since it is an American company and the USA doesn't have the equivalent of GDPR, rather a mosaic of state and federal regulations governing aspects of data protection (perhaps more importantly, there is no central enforcement authority).
I have no idea what constraints the Australian parliament puts on foreign companies dealing with its citizen's personal data.
Who knows about this place. I cant really comment. I hope that isnt taken the wrong way. Just I'm used to dealing with professionals. And much as it may not seem like the right thing to say I personally pay a lot less attention to extensive buraurcratic legal documentation and kind of assume that I and they just tend to the right thing almost all (if not all) the time EDIT I think by definition we should say essentially all the time
#14
Posted 2020-October-29, 20:02
hrothgar, on 2020-October-29, 06:19, said:
Here's a bit more information
.......
Thanks for all the extra information Richard
I will try and think up more about what my concerns are. I'm sure I've already expressed enough about them. I don't exactly have much authority or reason to question anything in the Bridge world, especially for an accredited site. But it does relate to the potential overreach into many people's lives, most of whom are just playing it as a game etc - and it could be terrible for any misunderstood action at some random online table, use of limited models, strange time delays, unusual bids (that would cause an incident in a club), being labelled as abusive player when simply responding to abuse, technical and other professional and ethical knoweldge, use of behavioural or other models, competence and values of anyne and everyone involved in use of the data, how many different ways such data could be used, potential profiling of people, IP numbers, ISPs, etc. I will try and writie something up as my replies on the forum are often untidy and need edits, and may contain errors etc. I am sure all my concerns are understood by those I trust to be involved somewhere. It would be sad if they were not involved and/or were ignored etc
EDIT I am editing the rest. As usual its starting to sprawl and getting untidy
#15
Posted 2020-October-30, 12:40
mycroft, on 2020-October-29, 17:11, said:
And, with a name that is almost unique across the internet (assuming you know I never played Cricket, or am not 100 years old and, you know, *dead*, I am unique) you don't need to tell me anything about "slightly unusual surname". Why do you think I'm "mycroft" online? (and yes, I realize it's futile. But I don't have to make it *easy*)
I see your "quite unusual surname" and raise you a "unusual first name, really unique when paired" . I think there is at least a match if you translate my first name, but if not, it would take a few steps to repeat.
#16
Posted 2020-October-30, 13:38
thepossum, on 2020-October-29, 20:02, said:
I will try and think up more about what my concerns are. I'm sure I've already expressed enough about them. I don't exactly have much authority or reason to question anything in the Bridge world, especially for an accredited site. But it does relate to the potential overreach into many people's lives, most of whom are just playing it as a game etc - and it could be terrible for any misunderstood action at some random online table, use of limited models, strange time delays, unusual bids (that would cause an incident in a club), being labelled as abusive player when simply responding to abuse, technical and other professional and ethical knoweldge, use of behavioural or other models, competence and values of anyne and everyone involved in use of the data, how many different ways such data could be used, potential profiling of people, IP numbers, ISPs, etc. I will try and writie something up as my replies on the forum are often untidy and need edits, and may contain errors etc. I am sure all my concerns are understood by those I trust to be involved somewhere. It would be sad if they were not involved and/or were ignored etc
EDIT I am editing the rest. As usual its starting to sprawl and getting untidy
FWIW, my impression is that BBO had done a good job controlling access to this sort of information
The meta data and information about delays and the like isn't provided to random individuals, rather, access is restricted (and it seems to be restricted to a reasonable set of people). For example, Tournaments Directors sometimes need access to information about delays in bidding so they can make reasonable decisions about Unauthorized Information. NBO's who are prosecuting accusations around cheating might need information about the IP addresses that are kibitzing hands.
Where I think the BBO has failed is in not doing a good enough job documenting its privacy policies and describing legitimate purposes for collecting and sharing data.
#17
Posted 2020-October-31, 00:42
hrothgar, on 2020-October-30, 13:38, said:
I don't know why delays need to be restricted. It seems they are already a matter of public record, having been part of up to 3 other players' real time experience, and any player at the table could "record" the game on video so the exact delay times can easily be determined. Even more public record would be the cards in each players' hands, the bidding, and the play, as well as the board results and the overall tournament results.
#18
Posted 2020-November-01, 17:35
hrothgar, on 2020-October-29, 05:44, said:
However, once it got sold to FunBridge, it became a French based company and the GDPR comes into play.
Some people, myself included, pointed this out at the time.
I think we're an American company that's owned by a French company. When the sale happened, FunBridge, BBO, and Le Bridgeur magazine all became subsidiaries of 52 Entertainment (a new holding company that was formed for this purpose).
IANAL, so I don't know what that means in terms of legal jurisdiction.