Upcoming changes for GDPR compliance
EDIT: some information in this first post is no longer up-to-date.
Please see the update further down. /EDIT
qlstats will become opt-in based. Players will have to register by using their steam login and accept the data privacy policy in order to have a match history and a rating. Unregistered players will show up in match reports as "Untracked Players" and no reference to any personal data (including steam-id) will be stored by qlstats.
However, since untracked players by definition can't have a rating, and the rating process for a match depends on every player having a rating, a match with an untracked player in it cannot be rated for anyone.
If a server owner want to run a "ranked server" where all matches get rated, he will have to use a minqlx plugin to ensure only registered players can join the match. This is not because qlstats is evil, it is a requirement for the system to work. Ratings don't appear out of thin air and matchmaking depends on player ratings.
A player will also have the option to delete his account at any time. qlstats will keep only the steam-id and the date of deletion on record for 2 months to prevent re-signup, everything else is deleted immediately and in the existing matches the player is replaced with an anonymous placeholder.
If a player does not register until May 25th, he will be treated as "not tracked", but the data is kept for 2 more months to allow the player to register or delete it explicitly. During this time the player's information will not be accessible via web site or API. After those 2 months, data of unregistered players will be deleted and matches anonymized.
This is just a heads-up, more updates will come throughout the next days.
-PredatH0r
Please see the update further down. /EDIT
qlstats will become opt-in based. Players will have to register by using their steam login and accept the data privacy policy in order to have a match history and a rating. Unregistered players will show up in match reports as "Untracked Players" and no reference to any personal data (including steam-id) will be stored by qlstats.
However, since untracked players by definition can't have a rating, and the rating process for a match depends on every player having a rating, a match with an untracked player in it cannot be rated for anyone.
If a server owner want to run a "ranked server" where all matches get rated, he will have to use a minqlx plugin to ensure only registered players can join the match. This is not because qlstats is evil, it is a requirement for the system to work. Ratings don't appear out of thin air and matchmaking depends on player ratings.
A player will also have the option to delete his account at any time. qlstats will keep only the steam-id and the date of deletion on record for 2 months to prevent re-signup, everything else is deleted immediately and in the existing matches the player is replaced with an anonymous placeholder.
If a player does not register until May 25th, he will be treated as "not tracked", but the data is kept for 2 more months to allow the player to register or delete it explicitly. During this time the player's information will not be accessible via web site or API. After those 2 months, data of unregistered players will be deleted and matches anonymized.
This is just a heads-up, more updates will come throughout the next days.
-PredatH0r
Why not just assign the name "untracked player" to all players who have not registered and opted-in, but still perform glicko calculations based on steamID on the back end? Make it an explicit internal policy to not mine any steamID related data, and not expose any steamIDs publicly for untracked players. Do not parse names from match data feeds or any information other than steamID and associated match stats. To prevent hypothetical de-anonymization based on precise glicko, simply round the glickos displayed on each match result for each "untracked player" to the nearest 50 points, or the nearest 25 points with a randomization factor to skew rounding up or down unpredictably. That should be MORE than sufficient.
If necessary, as absurd as this would be imo, provide an option whereby people can login to request anonymized data associated with their steamID to be removed entirely. Even in that case, matches in which they were present could still be rated, albeit somewhat less accurately, by assigning their stats in a given match an "imaginary glicko" i.e. a placeholder generated as a function of their score in comparison to everyone else's score and glicko in a single match.
Keep in mind that this information is not being passively collected by you, but is in fact being *broadcast* by servers voluntarily, for the express purpose of enabling match ranking services.
Also make opt-in easy. The steam API sign on stuff is annoying and awful. Instead, why not allow users to simply add an authentication string to the description part of their steam profile? This is how major companies like google, microsoft, facebook etc authenticate ownership of websites and stuff like that.
If a player hasn't registered and expressed his consent, I cannot store his steam-ID and a Glicko rating attached to it.
And without being able to store and adjust a player's rating, the system won't work.
That sort of access token on a player's profile page won't be good enough. I am not monitoring player profile pages if they add or remove access tokens, neither does that in any way satisfy the conditions of the GDPR that users must have read the privacy policy - and in which version.
I also need to be able to authenticate a user for function like deleting the profile or requesting data export.
Another important point to consider is that steamIDs are not private information. Not implicitly or explicitly. While it could be argued that an IP address is, because it can only be seen by the owner of a server, a steamID is disclosed even in the case of private profiles. Every time you play a game with someone, their profile link and steamID appears in the "recently played with" listing in the steam interface. What's more, steamIDs are disclosed by every QL server to every other user. IP addresses are not.
GDPR art. 4 defines "personal data" as such:
The key here is the idea that data becomes 'personal data' if it can be linked to the real identity of a natural person. Clearly no one in the scenario we're talking about is "identified". But what about identifiable? If so by whom? How? There has to be the possibly of someone correlating data to a natural person -- some means by which a party could connect the dots and identify someone.
There is no scenario outside of you personally hacking Valve's payment system that would make it possible for QLstats to use a steamID to identify a natural person. There is no scenario by which you or any other third party could legally request Valve disclose payment information to you. It would be illegal for them to do so.
If you were to just publish steamIDs, there's a theoretical risk someone else could set up a parallel database to associate steamIDs to dox information they have somehow collected, but under my proposal you would NOT publish steamIDs without consent.
If QLstats were to publish match data and associate it with a steamID publicly, it might enable some evildoer at Valve to associate the match data to a natural person. But the critical point is you would not publish steamIDs of anyone who is not a consenting member.
A similar idea is discussed here, regarding IPs, in an article by "intersoft consulting":
I think the notion of IPs being personal data could be pushed even further, if someone is publicly publishing IPs or performing processing to correlate IP to a broader data set and de-anonymize internet users, but a steamID is far less inherently linked to a natural person AND it is publicly available for all to see.
Also relevant:
Recital 153
Most member states provide protections for journalistic activities in public places. There is a strong analogy here for exactly that. As mentioned above, steamIDs are published publicly, and are accessible to anyone.
Also relevant:
Note the reference to pseudonymisation... That comes up in several articles of the GPDR.
Art. 35:
GPDR recognizes in several articles the idea that publicly accessible information exists, and is not inherently covered by protections. However care is urged in the collecting and processing of publicly accessible information:
Art. 6 GDPR
This article specifically talks about scenarios where one might be in the position to process data for a purpose other than the original consented reason. In this case, steamID holders satsify the following requirement: "the data subject has given consent to the processing of his or her personal data for one or more specific purposes". That is part of the Steam user agreement.
This is where you come in:
I'm quite sure there will be lots of court cases to clarify what "identifiable" means in particular cases.
When I look at https://www.gdpreu.org/the-regulation/key-concepts/personal-data/ they mention:
So if someone - for whatever reason - puts his steam-id and real name on a publicly accessible web page, it makes him indirectly identifiable by his steam-id.
Even if it he doesn't post that information publicly, his real-life friends might know his steam-id (e.g. from the steam friends list) and use it to get information about the person. The GDPR only says "intentifiable" and not "identifiable by the controller". So if ANY 3rd party can link the steam-id to the real identity, this can also be seen as "identifiable".
Even if there is no public "steam-id to Name" dictionary out there, it is safe to assume that there are many players out there whose real name and steam-ids are known by many players.
Please don't get me wrong. I'm not trying to be stubborn, I am just trying to be safe and also respect the purpose of the GDPR, to protect the privacy of people.
qlranks was entirely based on team win/loss, which has its own downsides.
IMO the bonus approach is a good compromise. The 20% are an arbitrary number that seemed reasonable. It's not written in stone, but since this is the first request I hear to change it, I won't do it right away.
https://qlstats.net/news#50034
After more reading and consulting in regards to GDPR, we have a new strategy now.
Without explicit opt-in, a player now defaults to an "anonymous" privacy level.
In this level qlstats stores only the steam-id, current Glicko ratings and a "cheater" flag - nothing else. We don't store any nicknames nor do we know in which matches the player participated. In match results anonymous players are listed as "Anonymous" with generic player IDs that cannot be linked back to a player.
For those who do not want to be rated at all, they can use the "Delete Account" function. That will anonymize the existing data and mark the steam-id so that no further data will be collected.
Matches with an "Untracked Player" in them can't be rated by qlstats. It's up to server owners if they want to run a plugin to block such players when they want to ensure matches can be rated.
and let's not forget this is so far completely beyond the scope of gdpr. notice how an actual commercial service like dotabuff isn't going anywhere or changing anything.
If you want to be able to see in which matches you played and what the results are, you do have to log in (once) and give qlstats your permission to collect that data.
If you don't, you will be replaced with a generic, non-traceable "Anonymous Player" entry in the match results. That's on the database level, not just on screen. So there is no way for us to show you your results, if we don't get the permission to store in matches you played.
There is patched version of balance.py for TESTING purposes only https://github.com/MinoMino/minqlx-plugins/blob/develop/balance.py
You want to try out on your server, you can do this:
If you find bugs - report in #minqlbot on QuakeNet